This article provides complete implementation guidance for configuring Microsoft Entra Conditional Access so that users who have not completed required training are automatically placed in the, for example, “Incomplete Training Group”.
When users in this group attempt to sign in, they are shown a clear notification explaining that access is restricted due to incomplete training. After acknowledging the notice, they are blocked from all Microsoft 365 applications, including Outlook (web and desktop), Teams, SharePoint, OneDrive, and related services.
This guide also includes instructions for restoring access by removing users from the “Incomplete Training Group.” Access can be restored either manually by an administrator through Microsoft Entra ID group management, or automatically when a StarPhish workflow is triggered that removes the user from the group upon successful completion of the required training.
This solution uses Microsoft-supported Conditional Access features and does not modify core authentication behavior.
- Prerequisites
- Expected user experience
- Step 1 - Disable security details (if enabled)
- Step 2 - Create the Terms of Use (training restriction notice)
- Step 3 - Create policy 1: Message policy
- Step 4 - Create policy 2: Enforcement policy
- Step 5 - Review other conditional access policies
- Training Course Creation
- StarPhish workflow - Add user to Incomplete Training Group.
- StarPhish workflow - Remove user from Incomplete Training Group.
Prerequisites.
Before implementation, please ensure the following:
1. Appropriate Role.
Conditional Access Administrator or Global Administrator is required.
2. Security Group.
A Microsoft Entra security group must exist named, for example: “Incomplete Training Group”.
Users who have not completed mandatory training must be added to this group.
3. Break-Glass Account.
At least one emergency administrator account must exist and be excluded from all restrictive Conditional Access policies.
Expected user experience.
When a user is added to the Incomplete Training Group:
1. The user signs in.
2. The Terms of Use notice appears.
3. The user acknowledges the message.
4. The user is blocked from all Microsoft 365 applications.
5. Access remains blocked until either:
• An administrator removes the user from the Incomplete Training Group.
or
• A workflow within StarPhish removes the user from the Incomplete Training Group.
6. User signs out and back in to restore normal access.
Step 1 - Disable security details (if enabled).
3. Select Properties.
5. Set Security defaults to Disabled.
6. Click Save.
Security Defaults enforce baseline protections such as mandatory Multi-Factor Authentication (MFA) for administrators and users.
Disabling Security Defaults removes those automatic protections. Before proceeding, ensure that equivalent or stronger protections are implemented via Conditional Access policies in accordance with your organisations:
• Internal security policies
• Regulatory obligations
• Industry standards
• Risk appetite
You must confirm that at minimum the following protections remain enforced:
• MFA for privileged roles
• MFA for all users (if required by policy)
• Device compliance or hybrid join requirements (if applicable)
• Location-based restrictions (if part of your security posture)
• Risk-based sign-in policies (if used)
FAILURE TO REPLACE SECURITY DEFAULTS APPROPRIATELY MAY WEAKEN YOUR SECURITY POSTURE.
Step 2 - Create the Terms of Use (training restriction notice)
This Terms of Use document is used to present a mandatory acknowledgement explaining the access restriction.
Name: Incomplete Training – Access Restricted
Upload a PDF that clearly explains, for example:
• Why access has been restricted and what the end-user should do next.
Optional: Enable “Require users to expand the terms” if desired.
Do not enable expiration unless required by policy.
Click Create.
Step 3 - Create policy 1: Message policy.
Purpose: Display the training restriction notice.
Policy Name : Incomplete Training – MESSAGE (Example name)
Assignments - Users or Agents
Include: Incomplete Training Group
Exclude: Break-glass administrator account(s)
Target Resources
Include: All resources
Exclude: None
Conditions
None
Access Controls – Grant
Select Grant access
Choose: Incomplete Training – Access Restricted (or whatever name you used above)
Enable policy: On
Click Create
This policy ensures users must acknowledge the training notice before proceeding.
Step 4 - Create policy 2: Enforcement policy.
Purpose: Block all Microsoft 365 applications for users in the, for example, Incomplete Training
Group.
Policy Name: Incomplete Training - BLOCK
Assignments - Users
Include: Incomplete Training Group (Example name)
Exclude: Break-glass administrator account(s)
Target Resources
Include: All resources
Exclude: Office 365
Important: Excluding Office 365 allows the Microsoft 365 portal shell (login process) and Terms of Use
experience to load.
All actual workloads remain blocked, including:
• Exchange Online
• Outlook Web
• Outlook Desktop
• Teams
• SharePoint
• OneDrive
• Microsoft Graph
Conditions
None
Access Controls – Grant
Select Block access
Enable policy: On
Click Create
Step 5 - Review other conditional access policies
• Require MFA for all users
• Require compliant device
• Location-based policies
• Risk-based policies
Training Course Creation
When creating the Training Course for your recipients, select a tag to assign to recipients upon course completion before following the next steps. You can select the tag which you would like to assign during course creation, on Step 4 - Course Tracking.
If the tag is assigned to the recipient, they will be removed from the 365 agreement due to the StarPhish workflow below.
StarPhish workflow - Add user to Incomplete Training Group
Note: For the StarPhish workflows to trigger, the following permissions must be added to your key:
Agreement.Read.All
Agreement.ReadWrite.All
For more information on permissions, and how to add/remove them, please click here.
- Trigger: Training Ended
When the training course containing the recipient included in the Microsoft 365 group ends, the workflow will be triggered. - Action: For Each
This action allows you to iterate over recipients in the course. - Condition: If/Else
With this step, you are able to select the variable 'Completed course', comparison 'Equals' and value 'False' so that when the recipient does not complete the training course, the recipient is added to the Incomplete Training group.
For more information on how to create a StarPhish workflow, please view our article by clicking here.
StarPhish workflow - Remove user from Incomplete Training Group
Note: For the StarPhish workflows to trigger, the following permissions must be added to your key:
Agreement.Read.All
Agreement.ReadWrite.All
For more information on permissions, and how to add/remove them, please click here.
- Trigger: Recipient Tag Added
When you create a training course on Step 4 Tracking, it can be configured so a specific tag is assigned to a recipient upon course completion. This tag can be used in the automation to automatically remove the user from a group.
- Remove from 365 group or Agreement
With this step, once the trigger condition is met, you have the option to remove the recipient from a specific 365 group or agreement (such as an ‘Incomplete Training’ group).
Please let us know if you require any further assistance, you can contact our support team by clicking here. Or by sending an email to support@phishingtackle.com