Microsoft 365 is the backbone of productivity for hundreds of thousands of UK businesses. From Outlook and Teams to SharePoint and OneDrive, these tools contain your organisation's most sensitive communications, documents, and data. Yet many businesses rely on nothing more than a username and password to protect access to this treasure trove of information. In an era where credential theft, phishing attacks, and account compromise are daily occurrences, this is simply not enough.
Conditional Access is Microsoft's answer to this challenge. It is a powerful policy engine built into Azure Active Directory (now Microsoft Entra ID) that allows you to define precisely who can access your Microsoft 365 environment, from where, on what devices, and under what conditions. Think of it as an intelligent gatekeeper that evaluates every login attempt against a set of rules you define and either grants access, blocks access, or requires additional verification depending on the risk level.
This guide walks you through everything you need to know about setting up Conditional Access policies for your UK business, from the fundamentals through to advanced configurations.
What Is Conditional Access?
Conditional Access policies work on a simple principle: if a certain condition is true, then apply a certain control. For example: if a user is logging in from outside the United Kingdom, then require multi-factor authentication. Or: if a device is not enrolled in Intune, then block access to SharePoint. Or: if a sign-in risk is detected as high, then block access completely.
These policies are evaluated in real time every time someone attempts to access a Microsoft 365 resource. Multiple policies can apply simultaneously, and the most restrictive outcome always wins. This layered approach allows you to create sophisticated access rules that adapt to the context of each login attempt.
Before you can create Conditional Access policies, you need the appropriate Microsoft licensing. Conditional Access is included with Microsoft 365 Business Premium, Microsoft 365 E3/E5, Azure AD Premium P1/P2 (now Microsoft Entra ID P1/P2), and Enterprise Mobility + Security E3/E5. If you are on Microsoft 365 Business Basic or Standard, you will need to upgrade to Business Premium or add Azure AD Premium P1 licences to use Conditional Access. You also need Global Administrator or Conditional Access Administrator privileges in your Microsoft 365 tenant.
The Five Essential Policies Every UK Business Should Implement
While Conditional Access supports virtually unlimited policy combinations, there are five policies that every UK business should implement as a minimum baseline. These policies address the most common attack vectors and provide substantial security improvement with minimal user impact.
Policy 1: Require MFA for All Users
Multi-factor authentication is the single most effective security control you can implement. Microsoft's own research shows that MFA blocks 99.9% of account compromise attacks. Your first Conditional Access policy should require MFA for all users accessing any Microsoft 365 application. To configure this, navigate to the Microsoft Entra admin centre, select Conditional Access under Protection, create a new policy, set the target to all users (excluding your break-glass emergency access account), set the target cloud apps to All cloud apps, and under Grant, select Require multifactor authentication.
Policy 2: Block Legacy Authentication
Legacy authentication protocols such as POP3, IMAP, and SMTP Basic Auth do not support MFA, making them a favourite target for attackers. Even with MFA enforced, if legacy authentication is not blocked, attackers can bypass MFA entirely using these older protocols. Create a policy that targets all users, sets the condition to Client apps with Legacy authentication clients selected, and sets the grant control to Block access. This single policy eliminates one of the most exploited attack vectors in Microsoft 365 environments.
Policy 3: Require Compliant Devices for Sensitive Data
If you use Microsoft Intune for device management, you can create a policy that requires devices to be enrolled and compliant before they can access sensitive applications such as SharePoint and OneDrive. This ensures that company data can only be accessed from devices that meet your security standards — devices with up-to-date antivirus, enabled firewalls, current operating system patches, and disk encryption.
Policy 4: Block Access from High-Risk Locations
While legitimate business travel occurs, the reality is that most UK small businesses operate primarily within the United Kingdom. Creating a policy that requires additional verification — or blocks access entirely — for sign-ins from countries where your business has no operations significantly reduces your attack surface. You can define named locations in the Entra admin centre and use them as conditions in your Conditional Access policies.
Policy 5: Require MFA for Administrative Actions
Administrative accounts — Global Administrators, Exchange Administrators, SharePoint Administrators — have elevated privileges that make them high-value targets. Create a specific policy that targets users in administrative roles and requires MFA plus a compliant device for every sign-in, regardless of location or other factors. Consider also requiring re-authentication every four hours for administrative sessions.
| Policy | Target Users | Target Apps | Conditions | Grant Control |
|---|---|---|---|---|
| Require MFA for All | All users (excl. break-glass) | All cloud apps | None | Require MFA |
| Block Legacy Auth | All users | All cloud apps | Legacy auth clients | Block |
| Compliant Devices | All users | SharePoint, OneDrive | None | Require compliant device |
| Block Risky Locations | All users | All cloud apps | Outside UK + trusted | Block or require MFA |
| Admin Protection | Admin roles | All cloud apps | None | MFA + compliant device |
Step-by-Step Implementation Guide
Implementing Conditional Access policies should be done carefully and methodically. A misconfigured policy can lock users out of their accounts or, worse, lock you out of your own admin portal. Follow this process to implement safely.
Create a Break-Glass Account
Before creating any Conditional Access policies, ensure you have a break-glass (emergency access) account. This is a Global Administrator account that is excluded from all Conditional Access policies. It should use a very long, complex password stored securely (such as in a physical safe), should not have MFA configured, and should be monitored for any sign-in activity. This account exists solely as a recovery mechanism in case a misconfigured policy locks all administrators out of the tenant.
Use Report-Only Mode First
Every Conditional Access policy should be deployed in Report-Only mode before being enforced. In this mode, the policy evaluates every sign-in and logs what would have happened if the policy were active, but does not actually block or challenge anyone. Leave policies in Report-Only mode for at least one week, then review the sign-in logs in the Entra admin centre to understand the impact. Look for legitimate users or scenarios that would be blocked, and adjust your policies accordingly before switching to On.
Best Practices
- Always create a break-glass account first
- Deploy in Report-Only mode before enforcing
- Start with the least disruptive policies
- Communicate changes to staff in advance
- Exclude service accounts where appropriate
- Monitor sign-in logs after each change
- Document all policies and their purpose
- Review and update policies quarterly
Common Mistakes
- No break-glass account (risking lockout)
- Enforcing policies without testing
- Blocking legacy auth before migrating apps
- Not communicating changes to users
- Forgetting about service accounts and apps
- Creating too many overlapping policies
- Not monitoring policy impact after deployment
- Setting policies and never reviewing them
Advanced Conditional Access Scenarios
Once you have the five essential policies in place, you can explore more advanced scenarios that further tighten your security posture.
Risk-Based Conditional Access
If you have Azure AD Premium P2 licences, you can leverage Microsoft's Identity Protection to create risk-based policies. These policies evaluate the risk level of each sign-in in real time — considering factors such as unfamiliar locations, impossible travel, malware-linked IP addresses, and leaked credentials — and automatically respond. A medium-risk sign-in might trigger MFA, whilst a high-risk sign-in is blocked entirely and the user is required to reset their password.
Session Controls
Conditional Access can also control what happens during a session, not just at the point of sign-in. You can limit the session duration, prevent users from downloading files when accessing from unmanaged devices, and integrate with Microsoft Defender for Cloud Apps to provide real-time monitoring of user activity within Microsoft 365 applications.
Terms of Use
You can require users to accept a Terms of Use document before accessing Microsoft 365 resources. This is particularly useful for GDPR compliance, contractor access, and BYOD scenarios where you need documented acknowledgement that users understand their responsibilities regarding company data.
Conditional Access and UK Compliance
For UK businesses, Conditional Access policies directly support compliance with several regulatory frameworks. Under UK GDPR, Article 32 requires appropriate technical measures to ensure the security of personal data processing. Conditional Access demonstrates that you have implemented granular access controls and authentication requirements. The ICO has specifically cited multi-factor authentication and access controls as expected security measures in its enforcement guidance.
For Cyber Essentials certification, Conditional Access supports the access control and secure configuration requirements. Being able to demonstrate that you enforce MFA, block legacy protocols, and require device compliance puts you in a strong position for certification.
Monitoring and Troubleshooting
After deploying Conditional Access policies, ongoing monitoring is essential. The Entra admin centre provides detailed sign-in logs that show which policies were applied to each sign-in attempt, whether access was granted or blocked, and why. Use these logs to identify issues, spot patterns, and continuously refine your policies.
Common troubleshooting scenarios include users unable to sign in from legitimate locations (adjust your named locations), applications failing to authenticate because they use legacy protocols (investigate and update the application or create an exception), and service accounts being blocked (exclude them from relevant policies with compensating controls).
Need Help Configuring Conditional Access?
Cloudswitched helps UK businesses implement and manage Conditional Access policies in Microsoft 365. Our certified Microsoft engineers ensure your policies are configured correctly, tested thoroughly, and aligned with your security requirements and compliance obligations. Get in touch for a free Microsoft 365 security review.
Get a Free M365 Security ReviewKey Takeaways
Conditional Access is one of the most powerful security features available to UK businesses using Microsoft 365, and it is included at no additional cost with Business Premium and Enterprise licences. By implementing the five essential policies described in this guide — requiring MFA for all users, blocking legacy authentication, requiring compliant devices, restricting risky locations, and protecting admin accounts — you dramatically reduce your attack surface and bring your security posture in line with UK regulatory expectations. Start with Report-Only mode, test thoroughly, and enforce methodically. The investment of time pays dividends in protection.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.