BlogMicrosoft 3655 min read

How to create Conditional Access Policies within Microsoft 365

Portrait of Paul Horn.

Paul Horn

C|CISO, CISSP, CRISC, CISM, GCIH · May 8, 2024

A laptop displaying a Microsoft 365 admin console; Conditional Access Policies are the gate every authentication has to pass through.

Want to enforce Multi Factor Authentication in Microsoft 365

Well, that is done by leveraging Conditional Access Policies within your Microsoft 365 tenant.

What is a Conditional Access Policy?

This is basically a way to ensure that if a user in your business wants to access a resource, then it must comply with certain requirements. At its simplest they are basically if-then statements. For example, if they want to use email then they must authenticate with multi factor authentication before access is granted.

What Conditional Access Policies should I have?

There are several conditional access policies we recommend for every Microsoft 365 tenant. However, the ability to use such policies resides with the license level you have. If you haven't already read our blog on licensing, we recommend you do so, it can be found here. The reason we recommended Business Premium was because it also includes a Microsoft Entra ID P1 license within the package. If you want to leverage any risk-based policies, you will need to add a Microsoft Entra ID P2 license.

  1. Require multifactor authentication for all users.
  2. Require multifactor authentication for Azure management.
  3. Require multifactor authentication for admins.
  4. Block legacy authentication.
  5. Block logins from specific locations (e.g., outside the US or your country of operation).
  6. Require an App Protection Profile for iOS and Android.
  7. Require devices to be marked as compliant.

So how do I create a Conditional Access Policy?

  1. Log into the Microsoft Entra admin portal.
  2. On the left navigate to Protection and select Conditional Access.
  3. Select Policies directly under the Overview.
  4. Select New Policy.
  5. Give the Policy a name.
  6. Under Assignments select the blue text under Users.
  7. Add those you want to include and/or exclude.
  8. Select the blue text under Target Resources.
  9. Add what the policy should apply to and then include and/or exclude any resources.
  10. Select the blue text under Conditions.
  11. Add any configurations needed.
  12. Select the blue text under Grant.
  13. Choose to grant or block access and any additional requirements.
  14. Select the blue text under Sessions.
  15. Choose any controls needed.
  16. Navigate to the very bottom where it says Enable Policy.
  17. Make sure you start your policy in Report Only.
  18. After a few weeks and a review of the logs you can then move this to On.

If you don't want to create the policies manually, Microsoft does have some prebuilt templates available. Instead of clicking New Policy select New Policy from Templates and follow the prompts.

If you don't feel comfortable creating the policies reach out and we would be more than happy to help you put some in place at a reasonable price.

Portrait of Paul Horn.

Written by Paul Horn

C|CISO, CISSP, CRISC, CISM, GCIH

Founder of H2Cyber. Thirty years building cybersecurity programs for organizations from Fortune 500s to two-person shops.