Document Conditional Access Policies and MFA configuration

[Copilot]

What is being addressed

TRE lacks documentation on configuring Conditional Access Policies and MFA for securing access to workspaces and resources.

How is this addressed

New documentation page: docs/tre-admins/conditional-access.md

• TRE-wide policies: MFA enforcement, device compliance, location blocking, session controls
• Per-workspace policies: Location/IP restrictions, workspace-specific MFA requirements
• Implementation guidance: Policy setup, testing (report-only mode, What If tool), monitoring (sign-in/audit logs)
• Critical guidance on dynamic workspaces: Clarifies that "All cloud apps" is the only sustainable approach for TRE-wide Conditional Access Policies to automatically cover workspaces created on-demand
• 16 links to Microsoft Learn documentation (avoiding content duplication)

Navigation: Added under Administration section in mkdocs.yml

CHANGELOG: Enhancement entry added for issue #4834

Technical coverage includes:

• Named locations configuration for IP/geographic restrictions
• Authentication strengths for sensitive workspaces
• Break-glass account exclusions
• "All cloud apps" approach for automatic coverage of dynamically created workspace applications
• Explanation of why security groups (AUTO_WORKSPACE_GROUP_CREATION) cannot be pre-targeted in TRE-wide CAPs since they are created per workspace
• Warning against unsustainable manual policy updates

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Document TRE Conditional Access Policies / MFA usage</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
I can not see any documentation or guidance on MFA / Conditional Access Policies, I think this would be helpful to all TRE users do have some basic docs and recommendations around this subject.

Describe the solution you'd like
A clear and concise description of how to configure Conditional Access Policies for TRE.

Describe alternatives you've considered
Asking an LLM / reading Microsoft docs
</issue_description>

Comments on the Issue (you are @copilot in this section)

@marrobi This should cover TRE wide conditional access, how to do conditional access on a per workspace basis to limit access from certain locations - regions or Ip ranges. Do not duplicate the Microsoft docs, link where appropriate. This should be a separate page available in the mkdocs index with similar technical content.

• Fixes Document TRE Conditional Access Policies / MFA usage #4834

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[marrobi]

@copilot given workspaces are created on demand, how do we ensure the created TRE wide CAP covers new workspaces as well as existing?

[Copilot]

@copilot given workspaces are created on demand, how do we ensure the created TRE wide CAP covers new workspaces as well as existing?

Updated the documentation to address this concern. The guidance now emphasizes two sustainable strategies:

1. Use "All cloud apps" (recommended) - Select "All cloud apps" in the Conditional Access Policy to automatically cover all workspace applications including future ones. This requires no ongoing maintenance.

2. Use Azure AD Security Groups (if AUTO_WORKSPACE_GROUP_CREATION is enabled) - Target security groups in CAPs for automatic coverage with more granular control.

The manual update approach has been removed from the documentation as it's not sustainable and can lead to security gaps.

Changes in commit 4023322