cartoon graphics on computer and mobile phone

Microsoft 365 Conditional Access: What It Is And Why You Should Use It

Compared to previous, boxed versions of Microsoft Office, Microsoft 365 runs in the cloud. This allows for several new features, the most useful of which is the ability to access your Microsoft 365 environment from any device in any location. This feature is incredibly useful, allowing teams to collaborate from disparate locations and access their files via the web if they do not have their work device to hand.

However, as with anything that brings convenience, there can be downsides when it comes to cybersecurity. The following three points are all features of Microsoft 365, but each one is also a potential vulnerability for your business.  

  • You can access Microsoft 365 from anywhere, not just in your office.  
  • You can access Microsoft 365 from any device, including mobile devices, not just your work computer.  
  • You can access Microsoft 365 with only a username and password.  

While you can probably see the advantages of all these features, there are some downsides, namely…  

  • Emails or files can be easily accessed from, and downloaded to, devices outside of your control.  
  • OneDrive or SharePoint could be synced to a personal device and all the data would be automatically copies outside of your organisation.  
  • A hacker could easily steal a user’s 365 password through a phishing attempt and then use that to gain access to your data.  

How To Mitigate Risks With Conditional Access Controls

Conditional Access Control is named such because it places additional conditions on access to your Microsoft 365 platform. It is one of the most crucial elements of Microsoft 365 security and threat protection. Here are some of the conditions that we have previously set for some our managed IT services customers who use Microsoft 365.  

  • Location
    Where is the user connecting from. You could restrict this to a particular country. For example, if you only have users in London, then there’s no reason to allow connections from Croatia or Brazil.  
  • Device
    You can restrict which devices can connect to Microsoft 365. For example, you could block all connections from mobile devices, or set corporate devices as the only ones authorised for access. 
  • Operating System
    Block connections from specific operating systems. For example, if all your team use Windows, you could block connections from users on OSX or Linux.  
  • Application
    Block connections from specific apps. For example, you could only allow connections from desktop 365 apps and not from their web versions.
  • Suspicious Logins
    You can block suspicious logins by default. For example, a user connects from a Windows PC in New York, and then five minutes later they connect using an iPhone in Paris.
  • Groups
    The same rules don’t need to apply to every user. Different user groups can have different access permissions and conditions. This also allows you to test policies out on a small number of users before rolling them out to the rest of your organisation.
  • Multi Factor Authentication
    Additional confirmation can be required on top of the standard username + password combination. For example, a code generated by the Microsoft Authenticator app on a user’s phone.
  • Intune Compliance
    Access can be blocked from devices which do not match your organisation’s Microsoft Intune policies.   

The Two Most Common Uses For Conditional Access Controls

Our team of IT experts can help you craft the ideal set of conditions for your business which matches the way you work and the risks you face. The following are two of the most common uses for conditional access controls…  

Restricting Access To Your Office IP Address

If your team is always in the office and doesn’t do remote work, there’s no reason for anyone who’s off premises to be access your Microsoft 365 files and software. By permitting only your office’s IP address, you effectively block all outside access. 

On the rare occasion that a user needs access from outside your office, they can connect to via a secure corporate VPN. For this to be a workable strategy, you need a static IP address – If you do not have one, our partners at Carden Telecoms can help you implement business broadband.  

Restricting Access To Your Corporate Devices

Unless you are operating a B.Y.O.D (Bring Your Own Device) environment, there is little reason to allow access from devices which are not owned and managed by your organisation. By blocking access from non-corporate devices, you ensure that you maintain complete control over the devices which are accessing your 365 data.

Need Help Setting Up Conditional Access In Your Company?

If you would like professional help implementing Microsoft 365 Conditional Access in your organisation, speak to Carden IT Services’ team today. 

Author: Dave King

Dave King is the Co-Founder and Director of Carden IT Services and the wider Carden IT Group. Dave has over 18 years’ experience in business IT networks with a focus on IT consultation and disaster recovery planning/testing.