Conditional Access – the firewall for Microsoft 365?

Screenshot from Proactive Security Monitoring

🎯I think the firewall analogy as spoken by my CloudWay colleague and security expert Simon Skotheimsvik is on the spot.

🆘In this article, I’ll try to clarify some of the basics of Conditional Access (CA), making it easier for you to handle the complexity.

Why CA? At its best, you get a flexible approach to improve security without affecting (common scenario) end-user experiences.

💵Can I use CA? Entra ID P1 or Microsoft 365 Business Premium licenses give access to CA.

🧑🏻‍🏫What are the basics creating a new policy?

  • Name: Create a naming convention an stick to it. You should see the purpose of the policy and how it operates just by glancing at the name. This is especially important since the CA policies don’t have a description field.
  • Users: Which users or groups does the policy apply to – included or excluded.
  • Target resources: What resources are affected by the policy. Already here it’s starting to get complex. Target resources can be “Cloud apps” (applications like Office 365, the Windows Azure Service Management API, or admin portals like M365 admin center), User actions (e.g. register security information or register or join devices), Global Secure Access (preview), or authentication contexts.
  • Network: Which networks and locations does the policy apply for. Network will replace the Location condition option.
  • Conditions: When the policy comes into effect. Options are User risk (P2 license), Sign-in risk (P2 license), Insider risk, Device platforms, Location, Client apps, Devices, and Authentication flows.
  • Access control:
    • Grant. Block access or Grant access – for the latter you can also add conditions like “Require MFA”. Be extra careful if selecting “Require ONE of the selected controls”.
    • Session. You can block downloads, enable persistent browser sessions and more.
  • Report-only, On, or Off. Start with Report-only. Consider temporarily excluding yourself or a colleague before activating, especially if the policy has User Actions in scope, for which Report-only mode does not work. If you require devices to be compliant as part of the policy, then Mac, iOS, and Android devices should be excluded from the policy while in Report-only mode as policy might actually be enforced for that specific condition.

🪛Pro tip: Use the WhatIf tool in Entra to reduce the need for manual testing.

❕If you have Entra ID P2-licenses, use “User risk” and “Sign-in risk” to benefit from Microsoft’s automatic risk assessments, rather than just location and device platforms (which can be spoofed).

📝Note: CA policies are applied after successful login, so CA is not your tool to prevent for example DDOS attacks.

🙂Want a better overview over Conditional Access? Contact me for more information on our Proactive Monitoring Service! As the image shows, you get some useful insights already in the overview of CA in Proactive Monitoring Service.

Recent Services Blogs
Recent News
Recent Blogs
  • #71 - Nytt år, nya möjligheter
    by teamspodden on 06/02/2025 at 15:30

    I detta avsnitt av Teamspodden diskuterar Linus Cansby och Mårten aktuella ämnen som stress i distansarbete, konsultpriser, verktyg som Slack och Teams, samt nyheter relaterade till Teams och Copilot. De pratar också om den kommande Teamsdagen och möjligheten för internationella talare. Länkar Teamsdagen 2025 Ny arbetsplatsundersökning: Stressen högst på distans | SVT Nyheter Konsultprisutveckling What’s New in Microsoft Teams | January 2025 | Microsoft Community Hub

  • #70 - God Jul och ett Gott Nytt Teamsår
    by teamspodden on 20/12/2024 at 11:48

    Tiden går fort när man har roligt och det har vi verkligen haft, 2024 är redan över och vi hoppar snart in i 2025. Tack för att ni har lyssnat 2024 och hoppas att ni vill vara med oss i Teamspodden under 2025 också. I detta avsnitt diskuterar Linus och Mårten julstämning, reflektioner över året som gått, och statistik kring deras podd. De pratar om nya funktioner i Teams, hur användningen av plattformen har förändrats, och ser fram emot framtiden med Copilot och dess påverkan på arbetsflöden. Julstämning och reflektioner är viktiga vid årets slut. Podden har nått nya lyssnare och åldersgrupper. Statistik visar att lyssnare är mest aktiva i Sverige. Nya funktioner i Teams har förändrat användarupplevelsen. Copilot förväntas revolutionera hur vi arbetar med Microsofts verktyg. Det är viktigt att hålla sig uppdaterad med nya funktioner. Lyssnarnas feedback är avgörande för poddens utveckling. Det finns en stor skillnad i hur Teams används beroende på organisationens storlek. Framtiden ser ljus ut för podden och dess innehåll. Det är viktigt att ha kul och vara kreativ i arbetet.

  • Pro-Level Travel and Conference Survival Guide
    by Simon Skotheimsvik on 16/12/2024 at 15:02

    The Pro-Level Travel and Conference Survival Guide post is a collection of practical advice and lifehacks to help you thrive as a conference attendee or speaker. This living document evolves with fresh insights from global travels.… The post Pro-Level Travel and Conference Survival Guide first appeared on Simon does.

  • Ignite 2024 Review
    by All Things M365 Compliance on 09/12/2024 at 12:11

    Your One-Stop-Shop for All Things Purview from Ignite. Ryan and Nikki take a look at the newly announced Purview, roles, features and solutions! Announcement Blogs:- aka.ms/DSPMblog aka.ms/DLPblog aka.ms/SecurityforAIIgnitenews aka.ms/CC/Ignite aka.ms/DLM/Ignite aka.ms/MIPblog aka.ms/CopilotinPurviewIgniteNews aka.ms/IRMIgniteNews

  • EP23: Sebastian Zamorano - Microsoft Purview Rich Reports (MPARR)
    by All Things M365 Compliance on 05/12/2024 at 13:32

    We talk to Sebastian Zamorano regarding the rich reports you can pull from Purview. There is a number of amazing reports that you can pull through from labelling, to admin access. This is a must for anyone wanting additional reporting from Purview. There's even a set up guide in the GitHub Link below. In addition here are the links to the content and his LinkedIn profile: https://www.linkedin.com/in/profesorkaz/ Here's all the good stuff: https://github.com/ProfKaz/PowerShell-Functions/blob/main/README.md

Scroll to Top