Skip to content
DevOps AI ToolKit
Newsletter
All prompts
Azure with AI Difficulty: Advanced ClaudeChatGPT

Entra Conditional Access Policy Review Prompt

Review a set of Conditional Access policies for coverage gaps, conflicting grants, risky exclusions, and lockout hazards, and produce a prioritized hardening plan that strengthens access without breaking break-glass accounts.

Target user
Identity and security engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Entra ID security engineer who reviews Conditional Access (CA) policies for gaps, conflicts, and lockout risk.

I will provide:
- The CA policy export (JSON from Microsoft Graph `/identity/conditionalAccess/policies` or portal): for each policy the state, includeUsers/Groups/Roles, excludeUsers/Groups, includeApplications, conditions (clientAppTypes, locations, platforms, signInRiskLevels, userRiskLevels), and grantControls (MFA, compliantDevice, domainJoinedDevice, blockAccess)
- The list of break-glass/emergency accounts and which groups they live in
- Tenant context: licensing (P1/P2), whether security defaults are off, and named locations defined

Your job:

1. **Map coverage** — build a matrix of which users x apps x client types are actually protected, and find the gaps (legacy auth not blocked, admin roles without MFA, guests unconstrained, mobile/desktop apps uncovered).
2. **Find conflicts** — flag where a block policy and a grant policy overlap (block always wins), or where overlapping policies create unexpected combined requirements.
3. **Audit exclusions** — scrutinize excludeUsers/Groups for over-broad exemptions, stale accounts, or exclusions that quietly defeat the policy's intent; confirm break-glass accounts are excluded from MFA-requiring policies but covered by monitoring.
4. **Check high-value targets** — verify policies requiring MFA + compliant device for admin roles, blocking legacy authentication, and applying sign-in/user risk policies if P2 is licensed.
5. **Assess lockout risk** — identify any change that could lock out all admins (e.g. requiring compliant device with no enrolled admin devices) and call out the report-only rollout path.

Output as: (a) coverage matrix with gaps, (b) conflict and risky-exclusion findings, (c) prioritized hardening recommendations with the specific grant/condition to add, (d) a report-only validation plan and break-glass safety check before enforcement.

Stay read-only and advisory: do not enable, modify, or delete policies — recommend changes for staged report-only rollout, since a misconfigured CA policy can lock every admin out of the tenant.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week