How to use the new Microsoft 365 Business Conditional Access feature

As of June 2019, Microsoft addeda key security feature to the Microsoft 365 Business offering: Conditional Access. Prior to June, you had to add a subscription to Azure AD Premium Plan 1 to gain the features of Conditional Access. Here’s an explanation of what it is and why you should enable it.

What is Conditional Access?

The Microsoft 365 Business Conditional Access feature allows you to implement automated, conditional access controls for accessing your cloud apps. Cloud services and the ability to access them anywhere is wonderful until you realize that access from anywhere means attackers can access those same applications. A typical office worker doesn’t really need access from anywhere. They only need access from where they work. Conditional access lets you set up policies to restrict access.

How to set up Conditional Access

You can set up these policies either from the old Microsoft 365 Device Management location or the new preview portal location under Azure Active Directory link. To set up a policy, click on “Conditional Access”, then “New”, and then on “New policy”. You will see your options to set policies.

At a minimum you’ll want to set policies for SharePoint and for Online Exchange as those are the two major places where your data resides. You may also wish to purchase Azure licenses to cover additional protection for administrator accounts. For example, you can add separate Azure AD Premium Plan 2 licenses for administrator accounts for additional protection of high-risk accounts. Sign-in risk, for example, needs the P2 license to be enforced.

You can use Conditional Access to limit access by geography. In the Conditional Access section, go into named locations and choose the countries that you will allow access to your resources. Work in a highly regulated industry and want to restrict access to certain IP addresses? You can do this with Conditional Access.

Susan Bradley

You might want to lock down access to Office 365 to company offices, to corporate devices and enable multi-factor authentication.

You can now set the following policies in Microsoft 365 Business license:

• Limit Users/Groups: You can build policies based on users or groups. Start first by selectively choosing a test user or group. Setting a policy for all users from the start might lock your out. Always make sure you start slowly in setting up policies based on users.
• Limit by Cloud Applications: Use this to control applications. Start first by controlling the two major applications that are targeted now: Exchange Online and SharePoint.
• Limit by Client Applications: Use this to control applications or software people use to connect to SharePoint or Exchange. For example, you can select to allow Desktop Outlook applications but block web browsers.
• Limit by Device Platform: Use this to control which devices users are allowed to connect with. For example, you can allow Apple iPhones but block Android.
• Limit by Location: Use this to control what IPs can connect to Office 365. For example, you’ll probably want to limit or block access from countries you don’t normally do business with.

To set up a sample policy, click “Azure Active Directory”, then on “Conditional Access”, then on “New policy”. Name the policy with a logical name. Select “Assignments” and then select a small group of users. Select “Cloud apps”, then select “Selected apps”. Select “Office 365 Exchange Online” and “SharePoint”. Select “Conditions” to determine what you will use to set restrictions.

Susan Bradley

As you can see, Conditional Access policies are extremely powerful. I recommend that you add this feature to your Office 365 subscription if you do not have it already. It can provide a great deal of protection for your online assets.