Posted by Andrew Ballantyne on 14th September 2022

Optimising Information Security with Conditional Access

The contemporary security perimeter now spreads beyond a company’s network to embrace device and user identity.

Businesses can utilise identity-driven signals as part of their access control decisions. Conditional Access brings these signals together to simplify decision-making and enforce organisational policies.

As a powerful product within the Microsoft 365 suite, Conditional Access helps organisations improve the security of Office 365. 

How Conditional Access Works

Conditional Access is the ability to set policies at a tenant level to review every authentication attempt that comes into your tenant and see if it meets the criteria of that policy. The beauty of Conditional Access is that it is not manually enabled at a user level; it’s at a tenant level so it will always apply.

Conditional Access restricts access to a company’s platforms and data by enforcing standards that have to be met by a device or network before accessing information. At their most basic level, Conditional Access policies are if-then statements. If someone wants to access a resource, then they have to carry out an action. 

For instance, if an HR manager wants to access the HR app, they will have to do multifactor authentication (MFA) to access it.

Conceptual Conditional Access process flow

Source: Microsoft

Keep in mind that Conditional Access policies are applied after the completion of first-factor authentication. These policies aren’t intended to be an organisation's first line of defence for events such as denial-of-service (DoS) attacks. However, Conditional Access can use signals from these scenarios to determine access.

Three Conditional Access Policies You Should Implement in Office 365

We believe these three key policies can be implemented a lot quicker and increase your security massively without excessively impacting users.

1. Require MFA for Admins

Accounts that are assigned administrative rights are often targeted by attackers. Requiring MFA on those accounts is an easy way to decrease the risk of those accounts being compromised.

This policy will ensure that all admin accounts use MFA for Office 365 regardless of where they log in from. Instead of relying on your administrators to manually enable MFA, you can configure a conditional access policy that would ensure every time an admin authenticates or logs in to an account with any administrative role, it would basically ask them to provide a second type of authentication. 

To make sure you aren’t locked out of your own tenant account in the event you don't have your second factor or authentication, we recommend that you create some exceptions in that policy for your break-glass account. So you can use these exceptions to get in if you ever get locked out of your tenant account. However, you need to make sure that break glass accounts have extremely complex passwords in place.

Here is how the policy to require MFA for admins would need to be set up in the Office 365 Portal:

MFA for admins

2. Block Legacy Authentication

Due to the increased risk associated with legacy authentication protocols, we recommend that organisations block authentication requests where possible and enforce the use of modern authentication.

Legacy authentication is allowed in the tenants and blocking it will hugely improve your security posture straight away. According to Microsoft, over 99% of password spray attacks and over 97% of credential stuffing attacks utilise legacy authentication. Statistics also reveal that organisations that do not allow legacy authentication undergo 67% fewer compromises compared to those that have enabled legacy authentication. Those are huge numbers with a fairly small change!

If you do require legacy authentication for some applications, you can use exceptions here as well. For instance, you can block legacy authentication for everything and then go through and allow the accounts you’d still need it to work for or even IP addresses if it’s a server. 

3. Require MFA for Users on Non “Approved” Devices

This policy will require users who are using a non-compliant device to use MFA to authenticate. According to this policy, you can either request MFA or block any non-compliant devices. 

If a device meets your security baseline criteria and is deemed compliant, it will be allowed into your tenant without any MFA. If the device is not compliant because it doesn’t meet the criteria you set out, there are two options. 

  • You can tell the policy to force the user to be multifactor authenticated to make sure it really is them and not some brute force attack. However, only a few organisations opt for it. That’s because if it’s not one of your devices or a compliant device then you may not want it in your tenant at all. 
  • You may also require an Exchange ActiveSync policy for mobile devices. It’s a secure protocol that makes sure that the exchange is using active sync and not some sort of third-party app to interface with the exchange.

That does leave an obvious question: what is a ‘non-compliant device’? This is where the relationship between Conditional Access and Microsoft Intune is really important. Intune allows you to create baseline criteria that devices must meet to be considered an ‘approved device’ (for example, one criterion point you might set is ‘device must be using the latest version of Microsoft’). We will explore this in our upcoming Microsoft Intune blog. What’s important here though, is Intune’s relationship with Conditional Access. When somebody tries to log into your tenant, if you have a policy around ‘approved devices’ in place, Conditional Access will assess the device that’s trying to connect against the criteria enforced in Intune (see the below diagram for basic representation). Action will then be taken depending on whether the device meets that criteria or not.



Description automatically generated



In a conventional on-premises infrastructure, the system admin has full control over user access to corporate resources. When using cloud solutions, access to resources can be carried out both from the corporate network and externally. 

Condition Access is a feature that can be used to allow or deny access to company resources based on user, device, location, and several other factors. It allows you to dramatically increase the security of your resources without complicating user access. By using Conditional Access policies, you can apply the right access controls when needed to keep your organisation secure

Recent Posts

Some of our happy clients...

Drop us a message...