Passwords alone have never been a reliable security measure, and in 2026 they’re even less so. Credential theft, phishing attacks, and automated login attempts mean that a username and password (even a strong one) can be compromised without the account owner ever knowing. Multi-factor authentication helps, but it’s only part of the picture.

The real question isn’t just who is trying to log in, it’s where are they logging in from, what device are they using, and does the context of this login make sense for this user? That’s exactly what Conditional Access is designed to answer.

 

 

 

What Is Conditional Access?

 

Conditional Access is a security feature within Microsoft Entra ID (formerly Azure Active Directory) that acts as an intelligent policy engine between a user and the resources they’re trying to access. Rather than simply checking a username and password, it evaluates a range of real-time signals before deciding whether to grant access, block it, or require additional verification.

At its simplest, Conditional Access works on an if-then logic: if a user is trying to access a resource under certain conditions, then they must meet specific requirements before being granted access.

For example:

• If a user is signing into Microsoft 365 from an unrecognised device, then require MFA
• If a user is attempting to access sensitive data from outside the UK, then block access
• If a user’s sign-in risk is flagged as high, then require a password reset before proceeding
• If a user is accessing from a personal mobile device, then restrict what they can download or print

Conditional Access is included in Microsoft 365 Business Premium and Microsoft Entra ID P1 licences — which is one of the primary reasons Via Wire recommends Business Premium as the minimum standard for business clients.

Why Standard Security Settings Aren’t Enough

 

Microsoft provides basic security defaults for all Microsoft 365 tenants — a set of baseline protections that are better than nothing but lack the flexibility and granularity that most businesses genuinely need. Security defaults apply the same rules to everyone, in every situation, with no ability to adapt based on context.

Conditional Access replaces security defaults with a far more sophisticated approach. It allows IT administrators to define precisely which rules apply to which users, under which circumstances — providing strong protection where it’s needed without creating unnecessary friction for users going about their normal working day.

 

 

 

What Signals Does Conditional Access Use?

 

The power of Conditional Access lies in the range of signals it evaluates in real time before making an access decision. These include:

User identity and role — different policies can apply to standard users, managers, and administrators. Admin accounts, which represent the highest-value targets for attackers, can be subject to significantly stricter requirements.

Device compliance — through integration with Microsoft Intune, Conditional Access can check whether the device being used meets your organisation’s security requirements before granting access. A device without current security patches, encryption enabled, or the correct configuration can be blocked or restricted automatically.

Location — access attempts from unexpected countries or regions can be blocked outright, or subjected to additional verification. For a business that only operates in the UK, a login attempt from an overseas IP address is a meaningful red flag.

Sign-in risk — Microsoft Entra ID analyses real-time signals including login behaviour, IP reputation, and known threat intelligence to assign a risk level to each sign-in attempt. Conditional Access can respond automatically — requiring additional verification for medium-risk sign-ins and blocking high-risk ones entirely.

Application sensitivity — different rules can apply depending on which application the user is trying to access. Accessing a low-sensitivity internal tool might require only standard MFA, while accessing financial systems or HR data might require a compliant device as well.

Common Conditional Access Policies for Business

 

A well-configured Conditional Access deployment for a small or medium-sized business typically includes a core set of policies that cover the most significant risk scenarios:

Require MFA for all users — ensures that every account requires a second factor, closing the gap that password-only authentication leaves open.

Require MFA for all admin accounts — administrators have elevated access to your entire Microsoft 365 environment and should be subject to the strictest authentication requirements.

Block legacy authentication — older authentication protocols that don’t support MFA (such as basic authentication used by older email clients) are a common attack vector. Blocking legacy authentication removes this exposure entirely.

Require compliant or managed devices — prevents access to company data from unmanaged personal devices that haven’t been enrolled in Intune and verified as compliant with your security policies.

Block access from high-risk locations — restricts or blocks login attempts from countries or regions where your business has no legitimate users.

Require MFA for high-risk sign-ins — automatically triggers additional verification when Entra ID’s risk engine flags a sign-in as suspicious, without applying that friction to every normal login.

Conditional Access and Zero Trust Security

 

Conditional Access is the practical implementation of what Microsoft calls a Zero Trust security model — the principle that no user, device, or network location should be automatically trusted, and that access should be verified continuously rather than assumed once a user is logged in.

For businesses that have moved to cloud-based working — with staff accessing Microsoft 365, SharePoint, Teams, and other services from multiple devices and locations — Zero Trust is the only security model that makes sense. The traditional approach of trusting everything inside the office network is obsolete when the network perimeter no longer exists in any meaningful sense.

What’s New in Conditional Access in 2026

 

Microsoft has been actively strengthening Conditional Access enforcement throughout 2026. A significant change rolling out this year closes a long-standing loophole where certain application sign-ins using limited permission scopes could bypass Conditional Access policy evaluation. From mid-2026, Conditional Access policies set to apply to all resources will be enforced consistently across all sign-in types — removing gaps that attackers could previously exploit.

Businesses using custom-built or legacy applications that connect to Microsoft 365 should review these applications with their IT provider to ensure they handle Conditional Access challenges correctly ahead of the enforcement date.

What Conditional Access Requires

 

Conditional Access is available with Microsoft Entra ID P1, which is included in Microsoft 365 Business Premium. More advanced features — including risk-based Conditional Access that responds automatically to detected sign-in risk — require Microsoft Entra ID P2, which is included in Microsoft 365 E5.

For most small and medium-sized businesses, the Conditional Access capabilities available in Business Premium provide a comprehensive and well-rounded security posture. Properly configured, they address the vast majority of identity-based attack scenarios without requiring an enterprise licence.

Getting Conditional Access Right

 

Conditional Access is a powerful tool, but it requires careful planning and testing before deployment. Policies that are too restrictive can lock users out of the systems they need to do their jobs. Policies that are too permissive leave gaps. Microsoft recommends deploying new policies in report-only mode first — observing what the policy would have done without actually enforcing it — before moving to full enforcement.

It’s also essential to maintain emergency access accounts that are excluded from Conditional Access policies, ensuring that administrators can recover access in the event of a misconfiguration without the ability to sign in being blocked entirely.

At Via Wire, we design, configure, and manage Conditional Access policies for businesses running Microsoft 365 Business Premium — ensuring the right protections are in place without disrupting your team’s day-to-day working. Get in touch today to discuss Microsoft Entra ID and Conditional Access for your business.