Conditional Access in Microsoft 365: A Guide for UK Businesses

What Is Conditional Access?

Conditional Access is a feature of Microsoft Entra ID (formerly Azure Active Directory) that acts as a policy engine for access to Microsoft 365 and other cloud applications. It evaluates every access request against a set of conditions and determines whether to grant access, require additional verification, or block the request entirely.

Traditional access control was binary: present valid credentials, get access. Conditional Access adds contextual evaluation — the same credentials might grant access from a managed, compliant laptop in the UK but trigger an MFA challenge from an unfamiliar location, and be blocked entirely from a non-compliant or unmanaged device. This context-aware approach is central to the zero trust security model.

What Conditional Access Policies Can Do

Conditional Access policies can enforce a range of conditions. They can require MFA for all users, for specific users (administrators, finance staff), for specific applications (SharePoint, admin portals), or for specific conditions (access from outside the UK, access from non-compliant devices, elevated sign-in risk).

Policies can require device compliance — an Intune compliance policy must be satisfied before access is granted to specific applications. This means an unmanaged personal laptop cannot access corporate SharePoint, even with valid credentials. A compliant, managed device can.

Legacy authentication blocking is one of the most impactful Conditional Access configurations. Legacy email protocols (IMAP, POP3, basic authentication in Exchange Online) do not support MFA — an attacker with stolen credentials can authenticate via these protocols regardless of MFA being enabled. Blocking legacy authentication via Conditional Access eliminates this bypass. Microsoft reports that over 99% of password spray attacks target legacy authentication protocols.

Licence Requirements

Full Conditional Access capability requires Microsoft Entra ID P1 licensing, which is included in Microsoft 365 Business Premium. Microsoft 365 Business Basic and Business Standard include Security Defaults — a simplified set of pre-configured policies that enforce MFA for all users and block legacy authentication — but not the full Conditional Access policy engine. For most UK SMEs, Business Premium is the right licence for Conditional Access capability.

Microsoft Entra ID P2 (included in M365 E5) adds risk-based Conditional Access — automatically requiring step-up authentication or blocking access when Microsoft's identity risk engine flags a sign-in as suspicious.

Essential Conditional Access Policies for UK SMEs

AMVIA configures a baseline set of Conditional Access policies for all managed M365 clients. The core policies are: require MFA for all users on all applications (eliminating the risk of account takeover from credential theft alone); block legacy authentication for all users (eliminating the most common MFA bypass); require compliant devices for access to sensitive applications (SharePoint, Exchange, Teams); and protect admin accounts with additional controls including MFA from all locations and Privileged Identity Management (PIM) for role activation.

Additional policies depend on the business context: blocking access from specific geographic regions, requiring phishing-resistant MFA (FIDO2 keys or Windows Hello) for highly privileged accounts, restricting download of sensitive data on unmanaged devices, and requiring Terms of Use acceptance for guest users.

Key Considerations for UK SMEs

• Microsoft 365 Business Premium is required for full Conditional Access — Business Basic and Standard have Security Defaults only
• Block legacy authentication as a priority — this closes a significant MFA bypass used in the majority of password spray attacks
• Pilot new policies in report-only mode before enforcement — this shows the impact without blocking users
• Exclude a break-glass emergency access account from all Conditional Access policies — to prevent being locked out of the tenant
• Review Conditional Access policies regularly — particularly when staff roles, working patterns, or applications change

How AMVIA Can Help

AMVIA configures and manages Conditional Access policies as part of its Microsoft 365 security service. We deploy the core policy set, test in report-only mode to confirm impact before enforcement, monitor for sign-in issues related to Conditional Access, and review policies as part of quarterly security reviews. For businesses transitioning from Security Defaults to full Conditional Access, AMVIA manages the migration to minimise disruption to users. Contact AMVIA on 0333 733 8050.