Conditional Access explained, the most underrated feature in Microsoft 365

The most underrated feature in all of Microsoft 365, and one of the most in-demand in 2026, because both NIS2 and the Danish D-mærket framework require documented access management. Many companies pay for E3 or E5 but have never configured Conditional Access. It's like buying an alarm system but never turning it on.

Conditional Access is rules for who can access what, from where. Instead of everyone just logging in with username and password, you define policies:

• •Only approved devices can access SharePoint
• •MFA is always required from locations outside your country
• •Basic Authentication (the old password-only auth method in Exchange) is completely blocked
• •Risky sign-ins are automatically blocked

It's the difference between "we have MFA" and "we have a documented security policy." The documented part is precisely what NIS2 and D-mærket assume.

Here are 5 CA policies we configure for almost every customer:

1. Block sign-in from unknown locations: An employee's account gets compromised. The hacker tries to sign in from Russia. CA blocks it automatically, your employee notices nothing.

2. Require MFA on new devices: An employee signs in from a new computer. CA requires MFA verification. From known devices, they get through without it.

3. Managed devices only for SharePoint: Personal phones can use Teams and email, but SharePoint (with all company documents) requires an Intune-managed device.

4. Block Basic Authentication: The vast majority of password spray attacks use Basic Auth (the old password-only auth method in Exchange without MFA support). One CA rule blocks it completely. Modern IMAP/POP3 with OAuth is not the same thing, what you specifically need to shut down is Basic Auth.

5. Require compliant device for admin portals: Only devices meeting your security policies (BitLocker, updated OS) can access Azure Portal and Admin Center.

CA requires Entra ID P1 (formerly Azure AD P1). The plans that include it:

• •Business Basic ($7/mo), not included
• •Business Standard ($14/mo), not included
• •Business Premium ($22/mo), included
• •Microsoft 365 E3 ($39/mo), included
• •Microsoft 365 E5 ($60/mo), included
• •Microsoft 365 E7 ($99/mo), included

Entra ID P1 can also be purchased as a standalone add-on at $6/user/mo, but that rarely makes sense. Business Premium includes it along with Intune and Defender.

Most people confuse the two. The simple explanation:

• •A tool: "Confirm with your phone"
• •On or off, same for everyone
• •Free in all Microsoft 365 plans

• •A policy engine: "WHEN is MFA required? From WHICH devices? For WHICH apps?"
• •Can differentiate based on user, location, device, risk
• •Requires Entra ID P1 (Business Premium+)

Example: With MFA alone, everyone confirms at every login. With CA, you can say: "MFA is only required from unknown locations or new devices, from the office on managed devices, you get through without it."

MFA is a lock. Conditional Access is the security policy that decides when the lock activates.

My recommendation:

On Business Basic or Standard? Upgrade to Business Premium. The extra $8-15/user/mo gives you CA, Intune and Defender, three things you're missing.

Already on Premium or E3? Check if CA is actually configured. Many organizations pay for it without using it. Start with the 5 policies from the examples section.

Truly small (under 5 employees) with no sensitive data and no NIS2/compliance ambitions? You can start with Security Defaults. Microsoft's free tenant-wide MFA policy that covers the basics. But remember it's an all-or-nothing policy with no granularity. The moment you take on customer or personal data, you need to move up to CA.

It takes 30 minutes to configure basic CA policies. The effect lasts forever.