Let say, Your organization recently experienced multiple password spray attempts against remote users accessing Microsoft Entra ID integrated applications. Leadership wants MFA enforced, but only for users accessing resources externally to avoid disrupting internal office workflows. How would you design and implement this securely? The strategy here is to use Conditional Access instead of enabling blanket MFA across the tenant. Start by creating a dedicated group like MFA-Test-Group and add pilot users such as testuser. Build a Conditional Access policy targeting that group, cloud apps, and external sign-ins. Exclude trusted corporate IP ranges using named locations to reduce friction internally. Then enforce MFA using authentication strengths or standard MFA controls. Monitor sign-in logs closely before expanding to production users. This phased rollout minimizes operational disruption while improving identity security posture. In another case, A third-party contractor needs temporary access to an internal procurement application, but security policy requires stronger authentication for external and high-risk access. The contractor only has a standard user account and unmanaged device. How would you approach this? The best approach is combining MFA with risk-aware Conditional Access. First, onboard the contractor as a guest user and place them into a dedicated external-access group. Create a Conditional Access policy that requires MFA for guest accounts and blocks access from risky sign-ins or unsupported locations. If the application contains sensitive data, add session controls or sign-in frequency limits to reduce long-lived sessions. For implementation, test the experience using a non-admin account before production rollout. This creates layered protection while still allowing secure collaboration with external users. Let hear your approach. #MicrosoftEntra #ConditionalAccess #MFA #IdentitySecurity #CyberSecurity