---
name: Conditional Access Coverage Gap Analysis
description: Find users, apps, and sign-ins outside Conditional Access coverage, surfacing MFA, compliant-device, and legacy-auth gaps for Essential Eight assurance.
---

# Conditional Access Coverage Gap Analysis

> **TL;DR:** This skill reads your Microsoft Entra Conditional Access policies and sign-in activity to find users, apps, and logins that no policy protects, then ranks each gap by risk so you can close the most dangerous exposure first.

## What Conditional Access coverage gaps mean in Microsoft Entra

Microsoft Entra Conditional Access is the policy engine that decides whether a sign-in is allowed, blocked, or challenged for multi-factor authentication (MFA) or a compliant device. A coverage gap exists when a user, cloud application, or sign-in path falls outside every enabled policy, or when overlapping policies conflict and leave an exclusion. This skill analyses those policies alongside real sign-in telemetry so you can see exactly where MFA, compliant-device, or legacy-authentication blocking is not being enforced. It complements Microsoft Purview audit reviews by confirming that the identity perimeter protecting Microsoft 365 and Microsoft 365 Copilot is actually applied.

## When should you run this skill?

- "Which users can sign in to Microsoft 365 without any MFA requirement?"
- "Show me cloud apps that no Conditional Access policy covers."
- "Are legacy authentication protocols still allowed anywhere in our tenant?"
- "We just onboarded a department, are they inside our Conditional Access scope?"
- "Find break-glass or excluded accounts that bypass our compliant-device rules."
- "Do any of our Conditional Access policies conflict or overlap with each other?"
- "Prepare an Essential Eight MFA assurance report before our next audit."

## How this skill works, step by step

1. Connect read-only to Microsoft Entra and enumerate every Conditional Access policy, including its state (report-only, on, or off).
2. Resolve the assignment scope of each policy: included and excluded users, groups, roles, cloud apps, and conditions.
3. Build a coverage matrix mapping users and applications to the policies that apply, flagging anyone excluded from all of them.
4. Inspect grant controls to identify where MFA, compliant device, or hybrid join is required versus absent.
5. Detect legacy-authentication exposure by checking for policies that block legacy clients and finding gaps where they do not.
6. Cross-reference recent sign-in logs to confirm whether uncovered identities and apps are actually being used.
7. Identify policy conflicts, redundant exclusions, and report-only policies that never moved to enforcement.
8. Derive a risk score per gap from privilege level, app sensitivity, sign-in volume, and the specific control missing.
9. Compile the prioritised findings into a structured report for review.

## Output format

The skill produces a ranked table of coverage gaps followed by a summary.

| Identity / app | Gap type | Missing control | Risk score | Recommended action |
| --- | --- | --- | --- | --- |
| `svc-billing@contoso.com` | User excluded from all policies | MFA | High | Add to baseline MFA policy or document break-glass exception |
| Legacy IMAP/POP | Protocol not blocked | Legacy-auth block | Critical | Enable policy blocking legacy authentication tenant-wide |
| Sales Reporting app | App outside policy scope | Compliant device | Medium | Extend device-compliance policy to include this app |

- Total policies analysed, including count of report-only and disabled policies.
- Number of users and cloud apps with no enforced MFA, compliant-device, or legacy-auth control.
- Detected policy conflicts and redundant exclusions.
- Top prioritised remediation actions ordered by risk score.

## Scope and safety

This skill is read-only by default and makes no changes to your tenant, policies, or accounts. It only inspects configuration and sign-in telemetry to report findings.

This skill does NOT:

- Create, modify, enable, disable, or delete any Conditional Access policy.
- Change user, group, role, or application assignments or exclusions.
- Block sign-ins, revoke sessions, or alter authentication methods.
- Write to or export data outside the generated read-only report.

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Conditional Access policy enforcement and evaluation | Microsoft Entra ID P1 |
| Sign-in log analysis with risk context | Microsoft Entra ID P1 |

### Least-privilege roles

- Global Reader — read-only visibility of Conditional Access policies and tenant configuration
- Security Reader — read access to sign-in logs and identity security signals

### Microsoft Graph permissions (read-only)

- `Policy.Read.All` — reads Conditional Access policies, their state, assignments, conditions, and grant controls
- `Directory.Read.All` — resolves users, groups, roles, and cloud applications referenced in policy scopes
- `AuditLog.Read.All` — reads sign-in logs to confirm whether uncovered identities and applications are actively used
- `Application.Read.All` — resolves service principals and cloud applications named in policy conditions

## Sources and compliance

- [Conditional Access policies concept](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies)
- [Plan a Conditional Access deployment](https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access)
- Maps to Essential Eight control "Multi-factor authentication" and supports "Restrict administrative privileges" assurance.
- Aligns with ISM controls for multi-factor authentication and identity-based access control.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.