Mirage CA Baseline Deployer

1. Sign in to your tenant

You sign in with your administrator account to your Microsoft Entra tenant (delegated sign-in, not a shared credential). The Mirage CA Baseline Deployer app is a multi-tenant, public client with no client secret. The first administrator to use it in your tenant sees the standard Microsoft consent screen for the requested Graph permissions. Sign-in state lives in memory for this tab only: reloading or closing the page clears it (no token cache in session storage).

Account: Not signed in

2. Review what will happen

The baseline covers users, administrators, guests, service accounts, and agents - not every policy applies to every principal on day one.

Groups (e.g. BG_BreakGlass, CA_ExcludedFromCA) are created if missing or reused by display name.
Named locations ship with placeholder ranges - replace them in Microsoft Entra admin center after deploy.
41 policies: new ones use state: enabledForReportingButNotEnforced (Report-only) except eight that default state: disabled (CA111, CA202, CA204, CA302, CA303, CA603, CA606, CAA01). CA112 (device registration MFA) defaults Report-only. If a tenant policy shares the normalized display name, it stays unchanged. Re-run is safe.

Details: policies on this page · live catalog (with descriptions) · README. Baseline source: (resolving...)

Policy catalog

All 41 Conditional Access policies in the baseline (new deploys: Report-only except eight default Off - see bullets above). For descriptions and personas, open the live catalog.

ID	Display name	Persona	Criticality
`CA101`	Require MFA	All users	Critical
`CA102`	User Risk - Require MFA + Password Change	All users	Critical
`CA103`	Sign-In Risk - Require MFA	All users	Critical
`CA104`	Block Legacy Authentication	All users	Critical
`CA105`	Block Unknown Platforms	All users	Recommended
`CA106`	Block Outside Trusted Countries	All users	Critical
`CA107`	Session Controls	All users	Recommended
`CA108`	Block Cross-Device Auth Flows	All users	Critical
`CA109`	Require MFA for Azure Management	All users	Recommended
`CA110`	Block Malicious IPs	All users	Optional
`CA111`	Continuous Access Evaluation - Standard	All users	Recommended
`CA112`	MFA on Device Register or Join	All users	Critical
`CA113`	Require Token Protection (Pilot)	All users	Optional
`CA114`	Terms of Use	All users	Optional
`CA201`	Intune Enrolling - Require MFA	All users	Critical
`CA202`	Require App Protection (Mobile)	All users	Critical
`CA204`	Require Compliant Mobile (Optional MDM track)	All users	Optional
`CA301`	Require Compliant Windows	All users	Critical
`CA302`	Require Compliant macOS	All users	Critical
`CA303`	Limited Browser Access on Unmanaged Devices	All users	Recommended
`CA304`	Require Compliant Linux	All users	Critical
`CA601`	Phishing-Resistant MFA for Admins	Admins	Critical
`CA602`	Admin Session Controls	Admins	Critical
`CA603`	Admin CAE - Strict	Admins	Critical
`CA604`	Admin Block High User Risk	Admins	Critical
`CA605`	Admin Block High Sign-In Risk	Admins	Critical
`CA606`	Admin Require Compliant or Joined Device	Admins	Critical
`CA701`	App - FortiClient - MFA	Application	Optional
`CA702`	App - Salesforce - MFA	Application	Optional
`CA801`	Service - Require MFA (Interactive)	Service	Recommended
`CA802`	Service - Block Outside Trusted IPs	Service	Critical
`CA803`	Service - Block Legacy Auth	Service	Recommended
`CA804`	Service - Block Non-M365 Apps	Service	Recommended
`CA901`	Guest - Require MFA	Guest	Critical
`CA902`	Guest - Block High Sign-In Risk	Guest	Recommended
`CA903`	Guest - Block Legacy Auth	Guest	Recommended
`CA904`	Guest - Block Outside Trusted Countries	Guest	Critical
`CA905`	Guest - Block Non-Collaboration Apps	Guest	Critical
`CA906`	Guest - Terms of Use	Guest	Optional
`CA907`	Guest - Session Controls	Guest	Recommended
`CAA01`	Agent - Block High Risk	Agent	Recommended

3. Deploy

Dry run previews the work - no directory writes. Turn it off for a real deploy.

Dry run (preview only, no changes)

Next: read the activity log below, then After deployment.

Activity log

After deployment

Use Microsoft Entra admin center - not this page - to finish rollout:

Open Protection → Conditional Access: most new baseline policies evaluate in Report-only; eight default Off (CA111, CA202, CA204, CA302, CA303, CA603, CA606, CAA01) until you enable them.
Update named locations and groups (break glass, exclusions, service accounts) with real values.
Enable policies in a controlled order when your runbook says so - optionally use Sign-in logs / Conditional Access insights first.

Full guidance (hosting, roles, fork): see the README - Deploy in your tenant on GitHub.

What this tool does

Creates missing Conditional Access policies: Report-only by default, Off for eight pinned IDs (see bullets above); skips when the display name already exists. Creates or reuses groups and placeholder named locations - delegated permissions from your session.
Does not set policies On (fully enforced); moving from Report-only to On stays a manual admin-center decision.
Does not use a client secret or application-only permissions; it cannot act without a signed-in administrator.
Does not read mail or files; directory access is limited to what Graph needs for groups, locations, and policies.