Conditional Access: additional security without frustrating users

Previously, we discussed the need for multi factor authentication (MFA) and its benefits. However, there is one major drawback with MFA; it’s either on or off. This means that once enabled, MFA will be required in the office, at home, on a corporate device, on a personal device and for all applications.

Whilst this is a big tick for security, it can result in a frustrating user experience. Nobody wants to be seeing additional security prompts when opening Outlook, if they are sat at their desk in the office. Chances are they have already proven their identity when entering the building.

Ideally, when it comes to enforcing or relaxing our additional security measures, we want to use some logic in our decision making. Perhaps specifying a variety of conditions that can be evaluated automatically, in order to decide if and how an individual can make use of an application? Well, Microsoft have a feature for that, called Conditional Access.

What is It Conditional Access?

Conditional Access is a policy-based, decision-making tool that can allow or deny the use of an application, based on a set of conditions being met. It can be used to provide secure access to all applications and services that exist in Microsoft 365, as well as any third-party web-based applications in use. Conditional Access is an excellent accompaniment to multi factor authentication as it unlocks the ability to selectively enforce MFA, based on what an individual is accessing and from where they are accessing it. Using Conditional Access, we can skip MFA all together for our users in the office. We can also skip it for our users on trusted corporate devices, but we can still enforce it for those on personal devices.

And it’s not just about being smart with MFA. Conditional Access can be used to create company-wide or user specific policies, such as only allowing access to 365 services from an approved application or device platform. Do you want to allow access to email, but only when the individual is in the office, the application is Outlook Mobile and the device type is Android? Conditional Access can do that.

How does it work?

Conditional Access uses the concept of if this, then that. With each policy created, we specify a condition that must be met and the outcome. For example, if the individual is in the office, then grant access to SharePoint. This is a basic policy that consists of a single condition and a single action, to emphasise the logic used to allow or prevent someone from accessing an application.

However, Conditional Access provides much more granularity than that, should you need it. More complex policies can specify multiple conditions and actions, that apply to different users and groups. This can include guest or external users.

More complex policies are typically used when we want multiple conditions to be met in order to grant access. For example, the individual should be in a trusted location and on an approved device and using an approved app. If all conditions are met, access will be granted. If only two conditions are met, access will be granted but MFA will be required. If only one condition is met, access will be denied.

Why do I need it?

Conditional Access is an essential part of a good security posture. The feature allows you to close common security holes such as legacy and weak authentication methods, untrusted third-party applications and data access from unknown devices.

What’s more, it allows you to do so without compromising on the user experience. The granularity of the feature means that we can strike the right balance between security and usability. The right level of protection can be applied at the exact time it is needed. This removes the requirement for overbearing, blanket security policies that hinder staff performance and efficiency in one scenario, in order to protect against another.

How do I get it?

Conditional Access is part of Active Directory Premium P1. This is available as a standalone product or included in Microsoft 365 Business Premium, E3 and E5. The feature is also included in Enterprise Mobility and Security (EMS). If you have any of these plans, you will be able to start using Conditional Access right away.

With a myriad of plans available and the recent name changes of Microsoft’s Office 365 plans, it can be difficult to understand whether you have a feature and how best to access it.

If you would like clarification on your plan, the security features available or how best to implement them then reach out to one of our team, who will be happy to discuss the options.

How can LIMA help?

Conditional Access is a complex feature with literally hundreds of use cases. While there are a couple of best practice recommendations to follow during implementation, the policies created will mostly be aligned to your specific security requirements.

LIMA can work with you to map out those requirements as part of a wider assessment and align them to intelligent, multi-layer policies in Conditional Access. Through our Microsoft 365 Security Assessment service, we can capture your existing security posture, highlighting areas of potential weakness. From here we can map Microsoft 365 security capabilities to your security objectives and requirements, providing a prioritised and actionable Microsoft 365 security roadmap.

Speak to your account manager or email enquiries@lima.co.uk to find out more about how LIMA can help secure your mobile workforce with our Microsoft 365 Assessment Services.

Contact us Back to News & Events

Access your data from anywhere, using SharePoint and OneDrive

Access your data from anywhere, using SharePoint and OneDrive

Using Microsoft Cloud App Security to secure your data outside of Microsoft 365

Using Microsoft Cloud App Security to secure your data outside of Microsoft 365

Data Loss Prevention: a layered approach to security across information, identities and devices

Data Loss Prevention: a layered approach to security across information, identities and devices

Our awards & accreditations.

For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.

We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.

Head Office
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR
0345 345 1110
We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.

Contact Us

Manchester
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR

0345 345 1110