Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

What Is Conditional Access in Microsoft 365?

Quick Answer

Conditional Access is Microsoft's policy engine for access decisions. Instead of simple yes/no, it evaluates signals (who, what device, where, risk level) and decides whether to allow, block, or require additional verification. It's essential for Zero Trust security.

Quick answer: Conditional Access is Microsoft's policy engine for access decisions. Instead of simple yes/no, it evaluates signals (who, what device, where, risk level) and decides whether to allow, block, or require additional verification. It's essential for Zero Trust security.

How It Works

Traditional access: Username + password = access to everything.

Conditional Access: Multiple signals evaluated in real-time:

  • Who is requesting access? (user, role, group)
  • What are they accessing? (which apps, data sensitivity)
  • Where are they? (location, network, country)
  • What device are they using? (managed, compliant, healthy)
  • What's the risk? (sign-in risk, user risk)
Then a decision:
  • Allow (access granted)
  • Block (access denied)
  • Require more (MFA, compliant device, terms acceptance)

Real-World Examples

Example 1: Location-based

*"If accessing from outside the UK, require MFA."*

Normal UK login = MFA as usual Login from another country = Additional verification required

Example 2: Device compliance

*"Only allow access to SharePoint from managed, compliant devices."*

Corporate laptop with encryption and current updates = Access allowed Personal phone = Access blocked (or limited to web only)

Example 3: Risk-based

*"If Microsoft detects risky sign-in behaviour, block and require password reset."*

Normal sign-in = Proceed Impossible travel, leaked credentials, unusual behaviour = Blocked

Example 4: App-specific

*"Finance apps require compliant device. General email allows any device."*

Accessing Dynamics/financial data = Strict requirements Checking email = More flexible

Common Policies

Block legacy authentication Old protocols (IMAP, SMTP, POP) don't support MFA. Block them.

Require MFA for all users Everyone, no exceptions. (You're probably doing this already.)

Require MFA for admin actions Extra verification for privileged operations.

Block high-risk sign-ins Automatically block when risk signals detected.

Require compliant devices for sensitive data Access to HR, finance, or sensitive data only from managed devices.

Block access from risky countries If you don't do business in certain regions, block access from there.

Require terms of use acceptance Annual policy acknowledgment for compliance.

Conditional Access vs Security Defaults

Security Defaults:

  • Basic security settings Microsoft enables by default
  • Simple: mostly just "require MFA"
  • Good baseline, limited customisation
  • Free with any Azure AD
Conditional Access:
  • Granular, customisable policies
  • Signal-based decisions
  • Requires Azure AD Premium P1
  • Part of Microsoft 365 Business Premium, E3, E5
Most organisations should use Conditional Access for the flexibility.

Common Mistakes

Too restrictive too fast Aggressive policies break workflows. Test thoroughly. Deploy gradually.

Not covering all apps Policies only protect apps they're assigned to. Don't leave gaps.

Exceptions that undermine security "Except the CEO because they complained" creates risk. Exceptions should be rare and justified.

Not testing Use "Report-only" mode before enforcing. See what would happen.

Forgetting break-glass accounts Emergency admin accounts excluded from policies (but secured differently).

What Conditional Access Requires

Licensing:

  • Azure AD Premium P1 (included in Business Premium, E3, E5)
  • Some features require P2 (Identity Protection integration)
Dependencies:
  • Azure AD / Entra ID
  • For device policies: Intune
  • For risk-based: Identity Protection (P2)

What We Configure

Our managed clients get Conditional Access configured properly:

  • MFA for all users (enforced, not just enabled)
  • Block legacy authentication
  • Risk-based policies
  • Location-based controls where appropriate
  • Device compliance integration
  • Monitoring for policy violations
We build Zero Trust using Conditional Access as the foundation.

---

about Microsoft 365 security.

---

Related Questions