Security researchers at Compass Security are warning enterprise administrators that poorly designed Microsoft Entra ID Conditional Access policies are leaving critical identities unprotected during real-world security assessments.
In a recent technical analysis, researcher Christian Feuchter identified several recurring configuration errors that bypass intended security controls like multi-factor authentication (MFA) and device restrictions.
Many organizations attempt to secure high-value accounts by targeting specific user groups. However, Feuchter found that administrators frequently fail to include all relevant users in these groups, leaving a subset of the workforce entirely outside the scope of security policies.
Targeting gaps and configuration blind spots
Similar vulnerabilities exist when administrators target specific Entra ID roles. The research highlights that privileged roles are often left out of protection policies, particularly when those roles are scoped to specific Administrative Units.
Feuchster noted a specific Microsoft limitation: Conditional Access role targeting does not recognize scoped role assignments. This means a user with a 'User Administrator' role restricted to a specific unit may bypass policies designed to protect all administrators.
Security gaps also appear when policies focus too narrowly on specific resources. For instance, enforcing phishing-resistant MFA only for Microsoft Admin Portals may fail to protect administrators performing sensitive actions via the Microsoft Graph API.
Over-complicating policies can also weaken security posture. Because Entra ID does not follow a default-deny model, adding excessive conditions—such as specific network locations or device platforms—actually reduces the number of authentication events the policy covers.
Every additional condition added to a policy narrows its reach, potentially allowing unauthorized access if a sign-in does not trigger the specific, highly-scoped criteria.