If your business is on Microsoft 365, you may already be aware of the security benefits of the Business Premium Tier. With everything from communications to file sharing and project management running through 356, you want to be as secure as possible.
Business Premium helps you achieve that. One of the standout security features businesses enjoy on this tier is ‘Conditional Access’, a crucial cog in Microsoft’s ‘Zero Trust’ security strategy.
Conditional access solves the problem of protecting sensitive information when your staff are logging in from home, from mobile phones, or while travelling. It lets you set rules that govern who gets into your environment and under what circumstances – providing flexibility to build access policies that work for your business.
We’re going to take a close look at what it is and how it works.
What is Conditional Access?
Conditional Access acts as a decision engine for Microsoft 365 sign-ins. When a user tries to log in, it checks the login against a set of signals – their location, the device being used, and administration credentials, amongst others, which we’ll go into below. A decision is then made as to whether access will be granted, or if extra login steps such as multifactor authentication will be applied.
It’s a bit like having a cyber security guard on the door of your environment. They won’t just let anyone in – if you don’t have the right identification, you’re not allowed in.
How Does Conditional Access Work? (If–Then Statements)
Conditional Access is built on simple if–then logic. If a user attempting to log in meets certain criteria, then access can be granted. The system evaluates conditions and then applies the action you’ve built into your access policy. This gives you the flexibility to apply rules like:
- If a user signs in from an unmanaged device, then block access.
- If the login is coming from outside Australia, then require multi-factor authentication.
If the account is a global administrator, then require access only from a compliant company laptop. - If Microsoft sees the login attempt as risky, it will enforce additional verification requirements.
How you apply these rules helps creates a protective barrier that adapts to the unique situation of each login request. Staff trying to log in under normal conditions get a smooth experience, while attackers attempting to gain access from unregistered devices or different locations are going to face hurdles.
Key Components of Conditional Access
What are the core components of conditional access that help it ensure the compliance of a login attempt? There are three: signals, assignments and controls.
Signals
Signals are the information points Conditional Access uses to make its decisions. These can include:
- User or group membership – whether the person is a standard staff member or a privileged admin.
- Location – the geographic point of the login.
- Device state – whether the device is compliant with your security policies.
- Application – which Microsoft 365 service the person is trying to access.
- Sign-in risk – Microsoft uses machine learning to assign a risk score to each attempt.
Assignments
Assignments define the scope of a policy. They are the conditions under which a policy applies – the ‘if’ of the ‘if-then’. They let you choose exactly who or what a policy applies to. For example, they could apply to specific user or groups of users (e.g. the finance department).
They also determine which apps are covered. For example, is it a blanket policy covering all apps, or does it only apply to Outlook and SharePoint?
Assignments will also look at what conditions need to be met in terms of location, device and sign-in risk. This precision helps make Conditional Access a very practical option for secure everyday use.
Access Controls
Access controls are the actions that Conditional Access takes. The common ones are:
- Block access.
- Grant access with conditions like MFA.
- Control the session by limiting what the user can do inside the app. This can be used to prevent sensitive file uploads or the downloading of data from SharePoint.
Examples of Conditional Access Policies
Let’s look at how the above core components work together to create conditional access policies:
Multi-Factor Authentication Requirements
Your policy could impose multi-factor authentication on all staff trying to sign in from outside the office network. Or you could make a blanket rule that requires MFA for all sign-ins. You have the flexibility to decide your MFA requirement.
Restricted Geographic Access
Australian businesses can block sign-ins from other countries completely if they only operate within our borders. Overseas attackers get instantly blocked in this way. You could also allow limited access to overseas logins, restricting their access to sensitive files.
Device Compliance Rules
Devices used by team members need to be compliant with your security rules if login is to be successful. Personal laptops or old phones might not have up-to-date security features, in which case access can be restricted or blocked.
Benefits of Conditional Access
What are some of the reasons Conditional Access is so important for businesses using Microsoft 365?
Stronger Security
Passwords don’t suffice anymore – they simply aren’t enough of a barrier to hackers. Conditional Access policies force them to prove their identity in ways they can’t easily bypass.
Support for Compliance
Different industries have different rules about data access and audit trails. Conditional Access helps you meet these requirements by creating enforceable and logged rules. It helps shows you take security seriously.
Monitoring and Insight
Every decision Conditional Access makes is logged. These sign-in reports help you spot unusual patterns, such as repeated login attempts from the same overseas IP address.
Practical Control for Business Owners
Security often comes at the expense of convenience… but not with Conditional Access. You design your policies according to your business and its requirements. For example, staff don’t need to be forced to do MFA when they log in – you can create a system whereby MFA only applies if something seems suspicious.
Productivity stays high and sensitive data is protected. It’s a win-win.
Contact Smile IT for Help with Conditional Access
If you want to control who accesses your business Microsoft 365 and under what conditions, conditional access is an essential tool. It’s a big reason why many businesses are upgrading to the Business Premium tier, which is something we recommend to all our clients at Smile IT.
Conditional Access gives you stronger protection without unnecessary login frustrations for your staff. Managers get visibility and compliance support, and a vital layer of protection against credential-based attacks is implemented. It’s flexible, straightforward and something that businesses of all sizes can benefit from.
If you’d like to up your security with conditional access, there’s no time like the present. Get in touch with Smile IT and we’ll answer any questions you might have. Our expert tech team are on hand to facilitate your migration to Microsoft 365 or your upgrade to Business Premium if you’re already on the platform. Let’s chat today.
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on the Gold Coast or hanging out with his family!