The policy that only looked like a wall (Conditional Access bypass)
Conditional Access is only as strong as its gaps: a legacy protocol, an excluded app, an unmanaged path. Attackers find the seam and walk around the policy. Here is how, and how to close the gaps.
A policy that covers ninety percent of your sign-ins is a wall with a door in it. Attackers look for the door.
What it is
Entra Conditional Access enforces MFA, device compliance, and location rules, but only where it applies. Attackers probe for gaps: legacy authentication protocols that do not support modern controls, applications or service accounts excluded from policy, or policies left in report-only mode, and authenticate through the path the policy does not cover. This is T1078 (valid accounts) with T1556 (modify authentication process).
Why it works
Coverage gaps are common (legacy auth, exclusions, break-glass accounts), and one uncovered path is enough. The login itself is valid.
How to detect it
Look for sign-ins using legacy authentication, logins to excluded apps, and access from noncompliant devices that should have been blocked; review sign-in logs against actual policy coverage.
The fix that holds
Block legacy authentication, minimize and review Conditional Access exclusions, require compliant devices and phishing-resistant MFA broadly, and move report-only policies to enforced. Tightly guard the break-glass accounts that are deliberately excluded.
Practice it
We built a Conditional Access bypass scenario in GraphLattice Range so teams learn to find the gaps before an attacker does.