CA-12HighEnhanced Security
Conditional Access for Workload Identities
Conditional Access control for Microsoft 365 and Entra ID
Why This Control Matters
Service principals authenticate without user interaction and often have broad permissions. Without CA policies, a compromised service principal has unrestricted access. Workload identity CA policies enable location-based and risk-based controls for non-human identities.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1A Conditional Access policy targets service principal authentication
- 2High-risk workload identities are covered by risk-based policies
- 3Policy is in enforced (not report-only) state
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Available
Creates CA policy targeting workload identities in report-only mode. Requires Workload Identities Premium license.
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.