Conditional Access is probably the most impactful security feature in Microsoft 365. It lets you set rules about who can sign in, from where, on what device, and under what conditions.

Without it, anyone with a stolen username and password can sign in from anywhere in the world. With it, you decide.

What you need

Conditional Access requires Entra ID P1, which is included in Microsoft 365 Business Premium, E3, and E5. If you're on Business Basic or Business Standard, you'll need to use Security Defaults instead (which is more limited but still better than nothing).

You also need to be a Conditional Access Administrator or Global Administrator to create policies.

The policies every business should have

Start with these three. They cover the biggest risks without overcomplicating things.

• Require MFA for all users — the baseline. Exclude your break-glass emergency account.

• Block legacy authentication — old mail protocols like POP3 and IMAP that can't do MFA. If you still have devices using these, sort that out first.

• Block sign-ins from countries you don't operate in — if nobody in your business is in Russia, China, or North Korea, block those locations. This cuts out a huge amount of brute force traffic.

How to create a policy

Go to entra.microsoft.com → Protection → Conditional Access → Policies → New policy.

Name it clearly. 'Block sign-ins from outside Australia' is better than 'Policy 3'.

Under Users, choose who it applies to. Start with All users and exclude your break-glass account.

Under Conditions, set the conditions — like Location (named locations you've defined) or Device platform (Windows, iOS, etc.).

Under Grant or Block, choose what happens when the conditions are met.

Always start in Report-only mode. Check the sign-in logs for a week to make sure you're not blocking legitimate users. Then switch to On.

Setting up named locations

Before you can block by country, you need to define your trusted locations.

Go to Protection → Conditional Access → Named locations.

Create a Countries location and add Australia (and any other countries your team works from).

You can also add your office IP addresses as a trusted location if you want different rules for in-office vs remote.

Testing before you enforce

This is the step people skip, and it's the one that causes chaos.

Report-only mode lets you see what would happen if the policy were active. Check the sign-in logs under Monitoring → Sign-in logs. Look for entries where the Report-only column shows 'would have blocked' or 'would have required MFA'.

If you see legitimate users being affected, adjust the policy before switching it on.

Conditional Access is powerful but it's easy to lock people out if you get it wrong. We configure these policies as part of our M365 security service — tested, documented, and rolled out without disrupting your team.