Apply Conditional Access blocks before authentication
Conditional Access policies that completely block access should be applied before allowing the user to attempt authentication, because otherwise an attacker can still crack a user's password (e.g. using a botnet) even though Conditional Access prevents them from actually using the account. This cracked password can then be used to access the account under different circumstances in which Conditional Access allows access.
Pirmin Felber commented
Applying some blocking policies (especially regarding Client Apps / Locations) would be useful for us as well.