Guide

What Is Conditional Access? A Plain-English Explanation

Conditional Access is the Microsoft 365 security feature that evaluates every sign-in attempt against rules you define — who the user is, what device they're on, where they're signing in from, and how risky the attempt looks — and then allows, blocks, or challenges it with MFA. Think of it as a bouncer that checks ID at every door, every time, instead of a fence around the building. It's included in Entra ID P1, which comes with Microsoft 365 Business Premium.

The short version
  • Evaluates identity + device compliance + location + risk signal on every single sign-in
  • The essential baseline: require MFA for all users, block legacy authentication, require compliant devices
  • Replaces the VPN-era assumption that "on the network" means "trusted"
  • The most common failure: exception groups that quietly swallow the policy
  • Free "security defaults" provide a starting point; Conditional Access is the grown-up version
Going deeper

Most tenants we audit have Conditional Access misconfigured in at least one dangerous way — usually exclusions added during a rollout and never removed. The full article covers the seven policies every 15–250 user organization should run, in what order to deploy them, and how to test without locking yourself out.

Prefer answers about your environment specifically?

Reading is good. A 30-minute session with an engineer who can see your actual tenant is better.

Schedule a Microsoft 365 Strategy Session