Conditional access policies are only as good as their coverage. Most organizations know what policies they've built. Few have a clear picture of which identities and applications those policies never reached.
When Coverage Has Gaps
Entra ID's native tooling shows you what policies exist. There's no out-of-box view that answers: which identities authenticated successfully last month without a CA policy applied? Which applications are being reached through legacy auth paths that bypass MFA entirely? In environments where provisioned accounts far outnumber active users — one enterprise running 18,000 provisioned identities against 4,000 active users — that blind spot doesn't shrink on its own. It compounds.
The security team has no way to measure how CA policies are working. Which users are slipping through exclusions. Which apps have never been covered. Where policy scope has quietly drifted. An attacker with a valid password and an ungated auth path doesn't need to defeat MFA. There's no gate to defeat.
Where the Coverage Ends
The fix isn't tighter policies on the paths you already cover. It's finding the sign-ins where no CA policy applied at all.
Start by answering three questions your native tooling can't: Which identities authenticated last month without a policy applied? Which apps are reachable through legacy auth outside CA scope? Which exclusions have grown since you last reviewed them?
Abnormal's identity posture work surfaces exactly these gaps — ungated paths, legacy auth exposure, and exclusion drift — continuously, not as a one-time audit. Map the ungated paths before someone else does.
See the latest from Abnormal's product and engineering teams.
