In today's threat landscape, a username and password alone are no longer sufficient to protect your organization.
Microsoft Entra ID Conditional Access is one of the most powerful tools available in Microsoft 365, acting as a policy engine that evaluates every sign-in attempt and enforces the right controls based on user, device, location, and risk.
Think of Conditional Access as your organization's Zero Trust enforcement layer. It does not just ask who you are, it asks where you are, what device you are using, and whether your behavior looks suspicious before granting access.
Licensing Requirement: Conditional Access requires Entra ID P1, which is included in Microsoft 365 Business Premium and Microsoft 365 E3/E5. For risk-based policies (covered in the Extra Credit section), Entra ID P2 is required, available through the Microsoft Defender suite or as a standalone add-on.
Every user in your organization should be required to complete multi-factor authentication (MFA) when signing in. This single policy alone blocks the overwhelming majority of credential-based attacks. No exceptions, every user, every time.
Administrator accounts are the highest-value targets in any Microsoft 365 environment. A dedicated policy targeting all administrative roles ensures that even if an admin account credential is compromised, an attacker cannot gain elevated access without the second factor.
Legacy authentication protocols (such as SMTP, IMAP, POP3, and older Office clients) do not support modern MFA, making them a common attack vector. Blocking legacy authentication is one of the highest-impact, lowest-effort policies you can implement. Microsoft reports that over 97% of credential stuffing attacks use legacy authentication protocols.
Access to the Azure Portal, Azure CLI, and Azure PowerShell should always require MFA. Azure management access gives users the ability to spin up resources, modify infrastructure, and access sensitive data, making it a critical surface to protect.
Device enrollment is the gateway to your managed environment. Requiring MFA for Entra ID device registration and join operations prevents attackers from enrolling rogue devices into your tenant, even if they have a valid set of credentials.
Standard MFA (SMS, authenticator app push notifications) can still be bypassed via MFA fatigue attacks or real-time phishing proxies. For administrative accounts, enforce phishing-resistant MFA, specifically FIDO2 Passkeys or Windows Hello for Business, to eliminate this risk entirely.
Requiring MFA for Microsoft Intune enrollment ensures that only authenticated, legitimate users can bring devices under management. This closes a potential gap where attackers could attempt to enroll devices to bypass compliance policies.
Privileged users, such as Global Admins, Security Admins, and other high-value roles, should have persistent browser sessions disabled and sign-in frequency enforced. This ensures that an unattended or compromised browser session cannot be reused by an attacker after the initial authentication window expires.
Requiring a compliant or Hybrid Entra ID Joined device for access to corporate resources ensures that only devices meeting your organization's security baseline can reach sensitive applications and data. This is a cornerstone of a Zero Trust device posture and works hand-in-hand with Intune compliance policies.
The device code flow is a legitimate OAuth authentication method designed for devices without browsers (like smart TVs or loT devices), but it is frequently abused in Business Email Compromise (BEC) and phishing campaigns. Unless you have a specific business need, this flow should be blocked for all users.
License Requirement: These policies required Entra ID P2, which we recommend purchasing through the Microsoft Defender for Business suite or as part of Microsoft 365 E5. Entra ID P2 unlocks Identity Protection, Microsoft's AI-powered risk detection engine.
WhenMicrosoft's Identity Protection detects that a user account has been compromised, based on leaked credentials, anomalous behavior, or threat intelligence, that account is assigned a risk level. this policy automatically blocks sign-in and forces a password reset for any user flagged at medium or high risk, containing the damage before it spreads.
Even if a user account itself is not flagged, an individual sign-in attempt can be evaluated for risk in real time, detecting things like impossible travel, anonymous IP addresses, malware-linked IPs, and atypical sign-in properties. This policy blocks suspicious sign-in sessions before access is granted, regardless of whether MFA was completed.
Implementing these policies does not have to happen all at once. A recommended approach:
Need help designing and deploying your Conditional Access framework? The Sourcepass Center of Excellence for Microsoft (MCOE) specializes in security architecture, Entra ID configuration, and Zero-Trust deployments. Reach out to learn how we can help your organization build a modern, resilient security posture.