• United States



Contributing Writer

How to use the new Microsoft 365 Business Conditional Access feature

Jun 26, 20194 mins
Cloud SecuritySecuritySmall and Medium Business

Microsoft 365 Conditional Access lets you automate conditional access controls for cloud applications. If you haven't enabled it yet, you should.

CSO  >  Access protocols  >  Pixelated digital check mark and process arrows.
Credit: Fatido / Getty Images

As of June 2019, Microsoft addeda key security feature to the Microsoft 365 Business offering: Conditional Access. Prior to June, you had to add a subscription to Azure AD Premium Plan 1 to gain the features of Conditional Access. Here’s an explanation of what it is and why you should enable it.

What is Conditional Access?

The Microsoft 365 Business Conditional Access feature allows you to implement automated, conditional access controls for accessing your cloud apps. Cloud services and the ability to access them anywhere is wonderful until you realize that access from anywhere means attackers can access those same applications. A typical office worker doesn’t really need access from anywhere. They only need access from where they work. Conditional access lets you set up policies to restrict access.

How to set up Conditional Access

You can set up these policies either from the old Microsoft 365 Device Management location or the new preview portal location under Azure Active Directory link. To set up a policy, click on “Conditional Access”, then “New”, and then on “New policy”. You will see your options to set policies.

At a minimum you’ll want to set policies for SharePoint and for Online Exchange as those are the two major places where your data resides. You may also wish to purchase Azure licenses to cover additional protection for administrator accounts. For example, you can add separate Azure AD Premium Plan 2 licenses for administrator accounts for additional protection of high-risk accounts. Sign-in risk, for example, needs the P2 license to be enforced.

You can use Conditional Access to limit access by geography. In the Conditional Access section, go into named locations and choose the countries that you will allow access to your resources. Work in a highly regulated industry and want to restrict access to certain IP addresses? You can do this with Conditional Access.

bradley conditional 1 Susan Bradley

Select geographic regions from which you will allow access

You might want to lock down access to Office 365 to company offices, to corporate devices and enable multi-factor authentication.

You can now set the following policies in Microsoft 365 Business license:

  • Limit Users/Groups: You can build policies based on users or groups. Start first by selectively choosing a test user or group. Setting a policy for all users from the start might lock your out. Always make sure you start slowly in setting up policies based on users.
  • Limit by Cloud Applications: Use this to control applications. Start first by controlling the two major applications that are targeted now: Exchange Online and SharePoint.
  • Limit by Client Applications: Use this to control applications or software people use to connect to SharePoint or Exchange. For example, you can select to allow Desktop Outlook applications but block web browsers.
  • Limit by Device Platform: Use this to control which devices users are allowed to connect with. For example, you can allow Apple iPhones but block Android.
  • Limit by Location: Use this to control what IPs can connect to Office 365. For example, you’ll probably want to limit or block access from countries you don’t normally do business with.

To set up a sample policy, click “Azure Active Directory”, then on “Conditional Access”, then on “New policy”. Name the policy with a logical name. Select “Assignments” and then select a small group of users. Select “Cloud apps”, then select “Selected apps”. Select “Office 365 Exchange Online” and “SharePoint”. Select “Conditions” to determine what you will use to set restrictions.

bradley conditional 2 Susan Bradley

Select Office 365 Exchange and Sharepoint

As you can see, Conditional Access policies are extremely powerful. I recommend that you add this feature to your Office 365 subscription if you do not have it already. It can provide a great deal of protection for your online assets.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author