Conditional Access for SMBs: what, when, how?

Conditional Access is the "if this, then that" of M365 security. Sounds complex — in practice it's 5 policies that cover 80% of your risks. Here's the minimum set.

Conditional Access (CA) lets you create policies like "require MFA when X". It sounds like an enterprise thing, but the minimum set is very manageable for SMBs.

5 policies you want in place

1. Block legacy authentication. Older email protocols don't support MFA. If you're not using them, block them entirely.
2. Require MFA for all users. The baseline policy.
3. Require MFA for privileged roles. With stricter controls (no app passwords, no trusted device remember).
4. Require compliant device for admin portals. Only company-managed laptops should be able to access admin.microsoft.com or the Azure portal.
5. Block sign-ins from high-risk countries. If your business has no operations in certain regions: block logins from those areas. Low effort, highly effective against credential stuffing.

Licence requirements

Conditional Access is included in Azure AD Premium P1 (or in Business Premium). If you only have Business Basic: upgrade at least the 2–3 privileged account licences to P1.

Test mode first

Every new policy should start in "report only" mode. You'll see for one week what would have been blocked — without anything actually going wrong. Only then switch it "on".

Break-glass account

Create one account that CA does NOT apply to. Use a strong random password, printed and stored in a safe. If your CA configuration ever locks you out, this is your lifeline.

See also: M365 pillar, Deploying MFA.