Microsoft Exchange and Remote Desktop Services Specialists


Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Podcast - Conditional Access

This a blog post supporting one of the Cyber Anxiety series, hosted by Inbay, alongside Daniel Welling of WellingMSP. 

The latest one is about Conditional Access in Office365

Conditional Access in Office365

Conditional Access is probably the most powerful tool available for security of your and your client’s Office365 tenants. When used in combination with Multi Factor authentication (MFA), it can keep most of the bad actors away, but can also protect your client’s data. It is such a powerful tool that I can only give you a brief introduction to the power it has.

First a warning – it is very easy to lock yourself out of the tenant with Conditional Access, so always have an emergency access account configured and confirmed as working.
This is documented on the Microsoft web site ( . If you have any rules already configured, then exclude this account from all of them.

What is Conditional Access?

Conditional Access is a feature of AzureAD which allows you to control who and what can access the Office365 tenant. It can enforce the use of a managed machine, MFA, location and approved apps, giving the administrator full control over the tenant access.
It can also be used to limit MFA prompts, which are one of the main barriers to adoption of MFA.

During initial adoption, the rules can be run in Report Only mode, therefore allowing you to catch anything that could be outside of the ruleset before it goes live. Enabling a small Azure subscription (usually less than £10/month) will allow more advanced reporting. This can be very useful to show to the client to demonstrate what conditional access could or is blocking. If you followed my advice at the start about configuring an Emergency Access Account, then the same log workspace can be used.

Two of the most common uses for Conditional Access are Country Restrictions and Securing Sign Ups for MFA.

Country Restrictions

One of the easiest to implement, but most effective uses of Conditional Access is to restrict what countries can access the tenant. If you or your client are all located in the UK, then restricting login to the UK will stop a lot of attacks, even if an account gets compromised.
Conditional Access works on the Block Everything, with exceptions rule, so you will need to build a list of countries that can access the tenant (typically I do UK, ROI, Jersey, Guernsey and Isle of Man).

The only drawback is if a user goes travelling and needs to access company resources. To combat that, create a group for the exceptions, then add and remove users from that group as required. Make sure that end users know to inform you that they are traveling.
It can be tempting to allow some users to be in the exception group all of the time. If this is a high value account (CEO, MD etc) then this should be discouraged, because they remain a target.
However, be creative – if an end user has a holiday home where they spend a lot of their time, then build an exception ruleset for them. If the staff member can get a static IP address, then even better as you can restrict it to that location only.

Securing MFA

Conditional Access is the preferred method to enforce the use of MFA, but you can also use Conditional Access to secure MFA. If you are using trusted location to allow office-based staff to bypass the need for MFA, then you can use Conditional Access to ensure that those users cannot have their account abused. A common attack would be for a bad actor to phish the user’s security details from them, then sign up for MFA using their own phone and are able to access the tenant from wherever.
Therefore, configure a trusted location and then restrict MFA sign up to that trusted location – so a user has to be in the office to sign up for MFA.

Spend some time with the conditional access documentation and see how you can secure both your own tenant and those of your clients. Just don’t lock yourself out!

Luke, Daniel and I discuss conditional access in the pod cast series Cyber Anxiety, the link to it can be found above. 

If you would like to listen to the rest of the series, then they can be found here:


Comments are closed