You can help support this website by buying me a coffee!
1 minute reading time
(176 words)
Conditional Access Policy Exclusions
You should always add exclusions to conditional access policies to ensure that a misconfigured policy doesn't accidentally lock you out of your own Azure tenant.
Create an Active Directory group for Exclusions
Create an AD Group to use for policy exclusions and add any users you want to exclude from the policy to the group.
Add at least one Global Administrator account to the exclude group to use as an emergency access account to prevent locking yourself out of your tenant.
You should also add your own global admin account to the exclude list when creating policies .
You should also add your own global admin account to the exclude list when creating policies .
Example AD Group: CAP Azure Exclude from CA
Example Conditional Access Policy: Exclude users and groups
AD group for Exclusions: CAP Azure Exclude from CA
Your own global admin account used when creating the policy
You might also need to exclude some service accounts from conditional access policies. For example: backup accounts, AD sync account and other service accounts that might interact with Azure or Office 365.
Comments