Your No Nonsense Guide To Conditional Access: Stop Unauthorised Logins Cold

Halloween is great for jump scares, but in your business, the real fright is an attacker slipping into a Microsoft 365 account at 2 am. If you already use MFA, you are on the right track. By adding Conditional Access, you shut the door, bolt it, and fit a peephole. This guide explains what Conditional Access is, how it differs from MFA, the core policies UK SMEs should turn on, safe rollout steps so you do not lock staff out, and sector examples you can copy today. We will also show you how our Microsoft 365 Security Setup, free with a 12-month security package, installs best practice policies without the drama.

First things first: what is Conditional Access?

Conditional Access is Microsoft 365’s policy engine that decides who gets in, from where, on what device, and under what conditions. Think of it as a set of "if this, then that" rules for identity. You define conditions like user, location, device compliance, risk level, or app. You also define controls like requiring MFA, needing a compliant device, blocking access, or granting limited actions. Every sign-in is evaluated in real-time against those rules. In simple terms, you stop trusting logins by default. You only grant access when the context looks safe.

MFA vs Conditional Access: what is the difference?

• MFA is a check. It verifies that the person has a second factor, like an app prompt or code.

• Conditional Access is a gatekeeper. It decides whether to ask for MFA, whether to allow access at all, and which conditions must be met.

  
  

You need both. Attackers can bypass MFA with fatigue prompts, token theft, and session hijacking. Conditional Access counters this by blocking risky locations, disabling legacy protocols that ignore MFA, requiring compliant devices, and limiting what can happen even after a successful sign-in.

If you already use MFA, you still need Conditional Access to control the circumstances around the login and reduce the chance of a phished or replayed session doing damage.

Common policies that stop attacks fast

Here are the baseline policies we implement for SMEs to cut noise and risk quickly.

1. Block legacy authentication. Old protocols like IMAP and POP cannot do modern MFA. Blocking them removes a favourite attacker route.

2. Enforce MFA on risky sign-ins. Use Microsoft’s sign-in risk and user risk detections. If risk is medium or higher, require step-up verification or block until reviewed.

3. Require compliant devices for sensitive apps. Only let devices that meet your Intune compliance baseline access Exchange Online, SharePoint, Teams, and admin portals.

4. Restrict by location. Allow access from the UK and your known office ranges. Challenge or block access from countries where you have no staff or clients.

5. Separate admin access. Admin roles must use privileged access policies; require MFA, compliant device, and session controls. Never allow admin login from personal or unknown devices.

6. Session controls for browser access. Apply continuous access evaluation, sign-in frequency, and persistent browser session settings to limit token abuse.

7. Break glass account. Keep one emergency account with a strong, vaulted password and no Conditional Access policies, monitored 24/7, for recovery only.

   
   

Practical examples for your sector

Legal firms

Only allow case data in SharePoint from compliant, encrypted laptops. Block downloads on unmanaged devices, but allow web previews so counsel can review documents when travelling. Require MFA plus location checks before anyone accesses client files or eDiscovery.

Healthcare clinics

Require compliant devices and up-to-date AV to access patient records in OneDrive and Teams. Block access from outside the UK, and set short sign-in frequency for browser sessions so tokens expire quickly on shared workstations.

Distribution and wholesale

Permit warehouse handhelds that are enrolled and compliant to access Teams and line of business apps. Block sign-ins from anonymous IPs and TOR. Allow finance to access Business Central from the office and trusted home networks only, with MFA enforced on every new device.

How to enable Conditional Access safely

The goal is to raise the drawbridge without trapping your own team on the wrong side.

Prepare

• Inventory users, groups, apps, MFA status, and legacy protocol usage.

• Set up Intune compliance policies for Windows and mobile, including encryption, OS version, password policy, and antivirus.

• Create a monitored break glass account with a 24-character random password stored in a vault.

  
  

Start with report only

• In Entra ID, go to Security, Conditional Access.

• Create policies in Report only mode. Examples: block legacy auth; require MFA for all users; require compliant device for Exchange Online and SharePoint.

• Let these run for at least 7 days to capture real usage. Review sign-in logs and the What If tool for impact.

  
  

Exclude smartly

• Create security groups for exceptions, like service accounts or specific devices that cannot be enrolled yet.

• Exclude the break glass account from all policies.

• For staged rollouts, target pilot groups first, then expand.

  
  

Flip to enforce in phases

• Start with Block legacy authentication, then Require MFA for all users, then Require compliant device for core apps.

• Keep high-risk location blocks in Report only for a few days while you communicate with travelling staff and suppliers.

• Enable sign-in frequency and session controls after staff have re-authenticated with MFA.

  
  

Communicate and support

• Send short guides with screenshots for the Microsoft Authenticator setup and device compliance steps.

• Provide a one-page FAQ on common prompts, what to do if a login is blocked, and how to contact support.

  
  

Testing tips to avoid lockouts

• Use the What If tool for each policy to simulate user, location, device state, and app.

• Test on a clean browser and a new device to catch first sign-in behaviour.

• Verify mobile and desktop clients, especially Outlook and Teams.

• Check service accounts and scanners. Replace basic auth with app passwords or modern connectors where possible.

• Keep an admin signed in with the break glass account during go live, and monitor sign-in logs in real-time.

  
  

A lightweight rollout checklist

1. Break glass account created, tested, and monitored.

2. Users registered for MFA, backup phone, and app notifications.

3. Intune compliance policies published and devices enrolled.

4. Legacy authentication usage audited and replacement paths agreed.

5. Conditional Access policies built in Report only, logs reviewed.

6. Pilot group tested; comms pack sent to staff.

7. Policies enforced in stages; monitoring active.

8. Quarterly review of risky sign-ins, failed sign-ins, and exclusions.

   
   

What is an example of a Conditional Access system?

Microsoft Entra ID Conditional Access is the most common example for SMEs on Microsoft 365. It evaluates sign-in risk, device compliance from Intune, user and group, application, and location. Based on your policy, it grants, challenges with MFA, limits session behaviour, or blocks. Other vendors offer similar concepts, but if you use Microsoft 365, Entra ID Conditional Access is the native, integrated choice.

Why you still need Conditional Access when you have MFA

• MFA does not stop legacy protocols that ignore it. Blocking legacy auth does.

• MFA does not know if the device is encrypted or riddled with malware. Device compliance checks do.

• MFA does not assess sign-in risk from a known bad IP or impossible travel. Conditional Access risk signals do.

• MFA does not limit what a session can do once issued. Session controls and sign-in frequency do.

  
  

Together, they create layered defences that reduce successful phishing, token replay, and credential stuffing.

How our team makes this painless

Our Microsoft 365 Security Setup, free when you take a qualifying 12-month security package, includes a full Conditional Access build.

We audit your tenant, enable best practice policies, configure Intune compliance, block legacy auth, set location controls, and stage the rollout so your team stays productive.

You get clear guides, a monitored break glass account, and monthly reviews to tune policies as your business changes.

If you want a broader view of your security posture, our Cyber Security services include quick wins and prioritised actions tailored to SMEs.

We combine plain English advice with practical configuration, so you see measurable risk reduction without disruption.

We also provide ongoing support that blends everyday IT help with proactive protection. If you are comparing providers, our IT services and support page explains how we keep systems stable while tightening security controls.

If you are focused on prevention first, learn how our managed cyber security approach brings continuous monitoring, MFA, backup integrity, and user training together.