You rolled out multi-factor authentication across the tenant, watched the Conditional Access policy go green, and crossed it off the list. The problem is that a Conditional Access policy is only as strong as its exclusion list — and exclusions have a habit of quietly accumulating.
Why exclusions exist (and why they linger)
Exclusions are added for good reasons: a break-glass emergency account that must never be locked out, a service account that cannot complete an MFA prompt, a vendor who needed temporary access during a migration. Each one is justified at the time.
What rarely happens is the cleanup. The migration ends, the vendor leaves, but the exclusion stays. Six months later your "MFA required for all users" policy has a list of accounts it quietly does not apply to — and nobody is looking at that list.
The worst case: an excluded Global Admin
The most dangerous exclusion is a privileged one. If a Global Administrator is excluded from your MFA policy — and from the risk-based and sign-in-frequency policies alongside it — then a single phished or reused password gives an attacker unchallenged, tenant-wide control of Exchange, SharePoint, and Entra ID.
This is not hypothetical. It is one of the most common findings we see: an admin account carrying a stack of Conditional Access exclusions that were each reasonable in isolation but add up to an account that is effectively exempt from your security controls. The rule of thumb is simple — only a break-glass emergency account should carry exclusions, and even that account should be MFA-capable and tightly monitored.
Where this sits in the CIS benchmark
The CIS Microsoft 365 Foundations Benchmark v5.0.0 puts identity front and centre: Microsoft Entra (Identity) is the largest of its 9 sections, at 37 of the 129 controls. Conditional Access, MFA registration, and Privileged Identity Management all live here. These are exactly the controls where an exclusion turns a "pass" into a quiet "fail" without anything visibly breaking.
How to find them before an attacker does
A point-in-time audit helps, but exclusions drift back in. The durable fix is continuous checking:
- Scan the full identity section automatically. ConfigCobra walks every Entra control on read-only Microsoft Graph permissions — no agents, no admin password sharing — and flags accounts that are excluded from the policies meant to protect them.
- Get the remediation with the finding. Each result arrives with plain-language reasoning, the affected scope, and a copy-paste remediation script pre-filled for your tenant.
- Catch the re-introduction. Set a daily, weekly, or monthly re-scan and you are emailed the moment an exclusion is added back or a policy regresses — not at the next quarterly review.
- Ask in plain language. With the MCP integration, you can connect ConfigCobra to your own AI assistant and ask "which of my global admins are excluded from Conditional Access policies?" and get the answer straight from your live scan data.
The takeaway
MFA enforcement is not a one-time switch. It is a state you have to keep proving — because the exclusion list is where good intentions quietly undo it. Audit it, then keep watching it.
Run a free assessment and see which of your accounts are slipping through the gaps. The trial covers 15 of the 129 CIS controls, including identity.