Require MFA via Conditional Access Policy for Professional Services & Consulting

Professional Services & Consulting organizations face specific regulatory requirements including soc2, iso27001, cis. The CA-01 control helps address these requirements by:

• At least one Conditional Access policy requires MFA for all users
• Policy applies to all cloud applications
• Emergency access accounts are excluded
• Policy state is Enabled (not Report-only)

Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.

When implementing CA-01 in a professional services & consulting environment, consider:

• **Regulatory requirements**: soc2, iso27001, cis may mandate specific configurations
• **Risk tolerance**: Professional Services & Consulting organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

CA-01 requires the following configuration:

• At least one Conditional Access policy requires MFA for all users
• Policy applies to all cloud applications
• Emergency access accounts are excluded
• Policy state is Enabled (not Report-only)

Creates a Conditional Access policy requiring MFA for all users

With TrueConfig, you can implement this control automatically using our one-click remediation feature.