Conditional Access in Microsoft 365: A Guide for UK Businesses

Conditional Access is a Microsoft 365 security feature that controls who can access your business systems, from which devices, locations, and under what conditions — before granting or blocking access. It replaces the outdated model of trusting any user with the right password, instead evaluating risk signals in real time and enforcing appropriate access controls automatically.

What Is Conditional Access in Microsoft 365?

Conditional Access is part of Microsoft Entra ID (formerly Azure Active Directory) and is included in Microsoft 365 Business Premium and higher licence tiers. It operates as a policy engine that sits between a user's login attempt and the resource they are trying to access.

When a user attempts to sign in, Conditional Access evaluates a set of signals — who the user is, what device they are using, where they are signing in from, and what application they are attempting to access. Based on that evaluation, it enforces a policy: allow access, require multi-factor authentication (MFA), require a compliant device, or block access entirely.

Think of it as a sophisticated set of rules that replaces the binary "correct password = access granted" model. A user signing in from a known, managed device in Sheffield gets seamless access. The same user signing in from an anonymous browser in a foreign country is blocked or challenged immediately.

Why Conditional Access Matters for UK SMEs

The majority of successful data breaches begin with compromised credentials. According to the 2025 UK Cyber Security Breaches Survey, 84% of businesses that reported a cyber breach experienced phishing, and credential theft is the primary outcome of phishing attacks. Once an attacker has a valid username and password, basic authentication systems grant them full access.

Conditional Access breaks this attack chain. Even with valid credentials, an attacker cannot access your systems if they are connecting from an unrecognised device or location, or if MFA is enforced and they cannot pass the second factor.

For UK businesses working toward Cyber Essentials or Cyber Essentials Plus certification, Conditional Access directly supports compliance with the access control requirements. For businesses subject to GDPR, it provides a documented, auditable access control mechanism that satisfies the technical security requirements under Article 32.

How Conditional Access Policies Work

A Conditional Access policy has three components: assignments, conditions, and access controls.

Assignments: Who and What

Assignments define which users and applications the policy applies to. You can scope a policy to all users, specific groups (such as your finance team), or individual accounts. You can also scope it to specific cloud apps — for example, applying stricter controls to SharePoint or your finance system than to Teams.

Conditions: Signals Evaluated

Conditions are the risk signals Conditional Access evaluates before making a decision. The most important conditions for UK SMEs include:

Sign-in risk: Microsoft's AI models assess each sign-in attempt and assign a risk level — low, medium, or high — based on signals like impossible travel (signing in from London and then Singapore within minutes), anonymous IP addresses, and known attack patterns.

Device compliance: Whether the device used to sign in is enrolled in Microsoft Intune and meets your organisation's compliance requirements (up-to-date OS, disk encryption, antivirus active).

Location: Named locations allow you to define trusted IP ranges (your office network, VPN) and untrusted ranges (foreign countries, Tor exit nodes). Policies can grant, challenge, or block based on location.

Client application: Some legacy applications cannot perform modern authentication and therefore cannot support MFA. Conditional Access can block access from these legacy clients entirely, which is a requirement for Cyber Essentials compliance.

Access Controls: What Happens

Once conditions are evaluated, the policy enforces one of several controls:

• Grant access — unconditionally, for low-risk, compliant sign-ins
• Grant with MFA — require the user to complete a second authentication factor
• Grant with compliant device — only allow access from Intune-managed devices that meet compliance policy
• Block access — deny access entirely (used for high-risk locations or legacy authentication)
• Require password change — if the sign-in risk is high, force a credential reset before granting access

Essential Conditional Access Policies for UK Businesses

AMVIA recommends a baseline set of Conditional Access policies for all UK SME Microsoft 365 tenants. These policies align with NCSC guidance and Cyber Essentials requirements.

Policy 1: Require MFA for All Users

The single most impactful policy. Requires all users to complete MFA on every sign-in, or on sign-ins that are not from a trusted, compliant device. This policy alone prevents the majority of credential-based attacks.

Policy 2: Block Legacy Authentication

Older email protocols (SMTP, IMAP, POP3) and older Office versions do not support modern authentication and therefore cannot use MFA. Blocking legacy authentication closes a significant attack vector. Note that this policy requires testing — some line-of-business applications may use legacy protocols and will need to be updated or replaced before blocking is enforced.

Policy 3: Require Compliant Device for Sensitive Applications

For applications handling sensitive data — SharePoint, OneDrive, your finance system — require that the accessing device is enrolled in Intune and meets compliance policy. This prevents access from unmanaged personal devices.

Policy 4: Block High-Risk Sign-Ins

Using Microsoft Entra ID Protection's risk signals, automatically block sign-ins assessed as high risk. This catches compromised credentials in real time, even before you are aware of a breach.

Policy 5: Block Access from Specific Countries

If your business has no legitimate reason for users to sign in from certain countries, block those locations. This is a straightforward, low-maintenance policy that eliminates a significant volume of opportunistic attack traffic.

Common Conditional Access Mistakes UK Businesses Make

Enabling Policies in Enforcement Mode Without Testing

Conditional Access policies can lock out users if not carefully tested. The correct approach is to deploy all new policies in report-only mode first, review the sign-in logs to understand the impact, and only switch to enforcement mode once you are confident the policy will not disrupt legitimate access.

Not Configuring Break-Glass Accounts

Every Microsoft 365 tenant should have at least two emergency access accounts (sometimes called break-glass accounts) that are excluded from Conditional Access policies. These accounts allow administrators to recover tenant access in the event that a misconfigured policy locks everyone out.

Applying Policies to All Apps When Only Some Need It

Blanket policies create unnecessary friction. MFA on every sign-in to Teams for internal collaboration may be appropriate, but requiring a compliant device to send email may not. Scope policies to the applications and data that justify the control.

Ignoring the Named Locations Configuration

Without defining named locations, Conditional Access cannot distinguish a sign-in from your Sheffield office from one originating overseas. Configuring named locations (your office IP ranges, VPN exit points) allows policies to apply appropriate trust levels and reduces unnecessary MFA challenges for on-site staff.

Conditional Access and Microsoft Intune

Conditional Access works most powerfully in combination with Microsoft Intune for business device management. Intune enforces device compliance policies — requiring disk encryption, OS updates, a screen lock, and antivirus — and Conditional Access enforces that only Intune-compliant devices can access company resources.

This combination is the foundation of a Zero Trust security architecture: never trust, always verify. Every access attempt is evaluated against the user's identity, the device's compliance state, and the context of the sign-in.

For businesses enrolled in Microsoft 365 Business Premium, both Intune and Conditional Access are included in the licence at no additional cost.

Conditional Access Licensing Requirements

Conditional Access requires Microsoft Entra ID P1 licensing as a minimum. This is included in:

• Microsoft 365 Business Premium
• Microsoft 365 E3 and E5
• Microsoft Entra ID P1 and P2 (standalone)
• Enterprise Mobility + Security E3 and E5

Businesses on Microsoft 365 Business Basic or Business Standard do not have access to Conditional Access unless they purchase Entra ID P1 separately. This is one of the key reasons AMVIA recommends Business Premium for any UK SME with security requirements.

See our comparison of Microsoft 365 Business Premium vs Business Standard for a full breakdown of what each licence tier includes.

How AMVIA Manages Conditional Access for UK Businesses

Configuring Conditional Access correctly requires a thorough understanding of your user base, device estate, applications, and compliance obligations. Misconfiguration is common and can result in either security gaps (policies too permissive) or operational disruption (policies that lock out legitimate users).

AMVIA's managed Microsoft 365 service includes full Conditional Access management:

• Initial audit of your current Entra ID configuration
• Design and implementation of a policy set appropriate for your business
• Report-only mode testing before enforcement
• Ongoing monitoring of sign-in logs and policy effectiveness
• Regular review and policy updates as your business changes
• Integration with Intune device compliance for device-based access control
• Alignment with Cyber Essentials and ISO 27001 requirements

Our approach is to build a Conditional Access framework that is robust enough to prevent credential-based attacks whilst remaining transparent to your users in day-to-day operations.