← Back to blog
Security

Microsoft Entra Conditional Access for SMEs: your access control as first line of defence

By Zarioh Digital Solutions5 min read
Share
Microsoft Entra Conditional Access for SMEs: your access control as first line of defence

Multi-factor authentication is a good start, but without Conditional Access the context is missing. The policy engine decides who gets access based on device, location, risk score, and user role. Read how to configure five basic rules that stop most attacks — without hindering your employees.

Microsoft Entra Conditional Access is one of the most powerful and simultaneously most underused security features in Microsoft 365. While many SMEs have enabled multi-factor authentication and believe that is sufficient, Conditional Access goes a step further. It is the policy engine that determines whether someone can reach company data, based on the full context of a sign-in attempt: who is it, which device is being used, from which location is the person signing in, and what does Entra's risk model say about that sign-in?

Conditional Access works as an intelligent gateway. An employee signing in from their managed work laptop at the office passes through. The same employee signing in from an unknown device in a country where your organisation has no presence is stopped or asked to complete additional verification. That distinction makes it significantly harder for attackers with stolen credentials to cause damage.

How does Conditional Access work technically?

Conditional Access evaluates every sign-in attempt against policies you configure yourself. Such a policy consists of two parts. The first part is the condition: which situations does the rule apply to? You can filter on user or group, on the application being accessed, on the device platform, on the network connection or named locations, and on the risk level of the sign-in.

The second part is the outcome: what happens when the conditions are met? The possible outcomes are: grant access, block access, or grant access provided additional requirements are met. Those additional requirements can include completing multi-factor authentication, using a device that Intune has assessed as compliant, forcing a password reset upon a high-risk signal, or restricting what the user can do during the session, such as preventing file downloads on an unmanaged device.

Why multi-factor authentication alone is not sufficient

Multi-factor authentication is indispensable, but not a complete shield. An attack type that has grown significantly in recent years is one where an attacker positions themselves between your employee and the Microsoft sign-in page. The employee enters their password and approves the verification prompt, after which the attacker intercepts the valid session data and uses it directly. The result: access without a password or verification code — those were already handled by the unsuspecting user.

Conditional Access can thwart this scenario in multiple ways. A policy that only allows sign-ins from managed and compliant devices for sensitive applications ensures that intercepted session data on the attacker's device is worthless — their device fails the device compliance check. A policy that blocks sign-ins from unrecognised countries cuts off a large part of the attack surface before the attack even begins.

Five basic rules every SME should configure

Rule one: require multi-factor authentication for all users and all applications, without user-level exceptions. This is the foundation. If you are not there yet, start here. Any organisation that still has accounts without MFA is vulnerable to almost every automated attack using stolen passwords. The configuration is in the Microsoft Entra portal under Security, then Conditional Access.

Rule two: protect administrator accounts with a separate, stricter policy. Admin accounts are the most valuable target for attackers. Require phishing-resistant verification via a FIDO2 key or passkey for every admin sign-in, restrict sign-ins to known locations and trusted devices, and enforce mandatory re-authentication at every new session. A compromised admin account can disrupt the entire tenant within minutes.

Rule three: block sign-ins from locations your organisation does not recognise. Define via named locations which countries or IP ranges are considered trusted. Sign-ins from all other locations are blocked or require additional verification. For most Dutch SMEs the list is short: the Netherlands, possibly a few neighbouring countries or regions where employees regularly travel. This single policy keeps a large share of automated attacks out.

Rule four: require a compliant device for access to business applications. Via Intune you manage which devices are considered secure. Conditional Access reads that status and requires a device to be compliant before it can access SharePoint, Exchange, or Teams. Unmanaged personal devices can still work via the browser but are prevented from downloading files. This significantly limits the damage in the event of loss or theft of a personal device.

Rule five: activate risk-based policies via Entra ID Protection. These are automatic policies that respond to anomalies Entra ID detects. A sign-in from a location that is geographically impossible given the previous sign-in, a login attempt with a password that appeared on the dark web, or a series of failed attempts followed by a successful one: these are signals that automatically trigger extra verification or a block. You enable this via Entra ID Protection and Conditional Access handles the enforcement.

Start in report-only mode, not in enforcement mode

Every Conditional Access policy can be set to one of three modes: off, report-only, or on. Report-only mode is the most underrated setting. In this mode, the system evaluates all sign-ins as if the policy were active, but nothing is blocked or required. You can see in the sign-in logs exactly which sign-ins would have been stopped and which extra verification step would have been triggered.

This is the only safe way to test policies in a real environment without disrupting users. Enable every new policy on report-only for at least a week, analyse the logs, adjust the policy where needed, and only then switch it to on. Organisations that skip this step risk blocking legitimate users, resulting in emergency calls and urgent fixes.

What do you do this month?

Three concrete steps for the next four weeks. First, open the Microsoft Entra portal and review which Conditional Access policies are currently active. If there are none, or only the default recommendations applied during initial setup, there is work to do. Second, start with rules one and two: MFA for everyone and extra protection for administrators. These are the two measures with the highest protective value per hour invested. Enable them on report-only, evaluate for a week, and switch them on. Third, schedule a quarterly review of your policy configuration. Companies grow, licences change, and threats shift. A policy that is appropriate today may have gaps in six months due to new applications or changed working patterns.

Conditional Access is not a product you configure once and forget. It is a living security system that requires attention and grows with your organisation. Want help configuring, auditing, or improving your Conditional Access policies in Microsoft Entra ID? Contact Zarioh for a no-obligation conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share