Summary
When you connect your Azure Government (GCC High) tenant, Secureframe automatically creates the Conditional Access (CA) policies your CMMC scope requires. To avoid accidentally locking anyone out the moment they're created, every policy is created in report-only mode. Report-only policies are evaluated and logged but not enforced, so they don't yet protect access to CUI — and the related Secureframe tests will fail until you switch them to On.
This is expected. This article explains what was created, which test fails and why, and how to safely turn enforcement on.
What Secureframe created
Secureframe creates the following Conditional Access policies in your tenant, each in report-only state. You'll find them under Microsoft Entra admin center → Protection → Conditional Access → Policies, each showing a Report-only badge:
Require MFA for CUI Users — Multi-factor authentication for users in the CUI Users group.
Require Compliant Device for CUI Access — Access to CUI apps only from a compliant/managed device.
Require Managed Device for Authentication — Sign-in only from a managed device.
Block Legacy Authentication — Blocks legacy auth protocols that bypass MFA.
Enforce Session Timeout — Re-authentication after the idle session window.
Block High Risk Sign-ins — Blocks sign-ins flagged high-risk.
Block High Risk Users — Blocks users flagged high-risk.
Require MFA for Risky Sign-ins — Step-up MFA on risky sign-ins.
Require Password Change for Compromised Users — Forces a password reset for compromised users.
Block Device Code Flow — Blocks the device-code authentication flow.
Phishing Resistant Admins — Phishing-resistant MFA for admin roles.
Require Terms of Use — Presents the CUI terms-of-use agreement at sign-in.
The test that fails
Test: Conditional Access policies are enforced for CUI users.
How it's evaluated: The test reads each Conditional Access policy's state and treats a policy as passing only when its state is On (enabled). A policy left in report-only is intentionally counted as not compliant, so the test reports a failure for each policy still in report-only mode.
In other words: the policies existing isn't enough — the test passes only once they're enforced.
How to fix it
Turning a policy on can block users who aren't ready (no MFA registered, device not enrolled). Do this in order:
Review the report-only impact first. In Entra, open Conditional Access → Insights and reporting (or each policy's report-only sign-in logs) to see who would have been blocked over the last several days.
Remediate the people and devices that would be blocked:
Have users register for MFA
For the Require Compliant Device for CUI Access policy, enroll devices so they report as compliant.
Enforce each policy: open the policy in Entra → set Enable policy to On → Save. Repeat for every policy listed above.
Keep break-glass access safe: confirm your emergency/break-glass admin accounts are excluded from these policies before enforcing, so a misconfiguration can't lock you out entirely.
Re-run the test in Secureframe. Once all policies are On, re-sync your Azure Government connection (or wait for the next scheduled sync) and the test will pass.
⚠️ Intune is currently required for the compliant-device policy. Microsoft Entra only marks a device "compliant" when an MDM such as Microsoft Intune evaluates it against your compliance policies. If you don't yet have Intune compliance policies in place, users on physical devices will be blocked from CUI apps the moment you enforce Require Compliant Device for CUI Access — set up Intune first.
FAQ:
Why didn't Secureframe just enforce them for me?
Enforcing immediately could lock out users who haven't set up MFA or enrolled a device — including admins. Report-only lets you verify the impact and remediate first.
I use a different MDM, not Intune.
Today the compliant-device signal for the "Require Compliant Device for CUI Access" policy depends on Intune reporting device compliance. Other MDMs aren't yet supported for that signal. Please reach out to our support team with your specific use case.