If you could only change one thing in your Microsoft 365 security configuration, it should be Conditional Access. No other single feature has a comparable impact on your organization's security posture. Yet in our audits, we consistently find that most SMEs either have no Conditional Access policies, or have policies so broadly configured that they provide minimal protection.
What Conditional Access Does
Conditional Access is Microsoft's policy engine for access decisions. It evaluates signals — who is requesting access, from where, on what device, at what risk level — and enforces actions: allow, block, or require additional verification.
Think of it as an intelligent gatekeeper that makes real-time decisions for every authentication attempt. Unlike static rules, Conditional Access adapts to context.
The Five Policies Every Organization Needs
1. Require MFA for All Users
This is non-negotiable. Every user, every application, no exceptions. The policy should target all cloud apps and require multi-factor authentication as a grant control. Legacy authentication protocols that cannot support MFA must be blocked entirely — they are the most common bypass vector.
2. Block Access from Untrusted Locations
Define your trusted locations: office IP ranges, VPN endpoints, and countries where your employees actually work. Block sign-in attempts from everywhere else. A German SME with no employees in Southeast Asia should not be accepting authentication attempts from that region.
3. Require Compliant Devices for Desktop Apps
If you manage devices through Intune, require device compliance for access to Exchange Online, SharePoint, and Teams desktop applications. An unpatched, unencrypted personal laptop should not access your corporate data with the same privileges as a managed device.
4. Block High-Risk Sign-Ins
Entra ID Protection assigns risk levels to sign-in attempts based on impossible travel, anonymous IP addresses, password spray detection, and other signals. Configure a policy to block high-risk sign-ins entirely and require MFA for medium-risk sign-ins.
5. Restrict Admin Access
Global admins and privileged role holders need stricter controls: MFA always, compliant device required, access only from trusted locations. Administrative sessions should also enforce sign-in frequency — a 24-hour persistent session for an admin account is too permissive.
Common Configuration Mistakes
Excluding break-glass accounts improperly. You need emergency access accounts that bypass Conditional Access — but they must be monitored, have no standing permissions, and their credentials stored securely offline. We regularly find break-glass accounts with Global Admin rights and no monitoring.
Using "report-only" mode indefinitely. Report-only mode is for testing. We see organizations that deployed policies in report-only mode months ago and never switched them to enforcement. The policies are logging data but blocking nothing.
Not covering all cloud apps. A policy that requires MFA for Exchange Online but not SharePoint Online creates a gap. Attackers will target the unprotected application. Always target "All cloud apps" unless you have a specific, documented reason to exclude something.
Ignoring guest and external users. Conditional Access policies that target "All users" include guests by default in Entra ID — but some organizations create policies targeting specific groups, inadvertently excluding external collaborators who may have access to sensitive data.
Measuring Effectiveness
After deploying Conditional Access, check the sign-in logs. You want to see:
- Zero successful legacy authentication attempts
- MFA completion rates above 95%
- Blocked sign-in attempts from unexpected locations
- No successful high-risk sign-ins
These metrics tell you whether your policies are actually working or just exist on paper.
What a Proper Configuration Looks Like
A well-configured tenant has 8–12 Conditional Access policies covering all user types, all applications, and all risk scenarios. The policies layer — they do not conflict. Emergency access accounts are monitored but excluded. Named locations are current and reviewed quarterly.
Start with an audit to see exactly which policies you have, which you are missing, and which are misconfigured.