How to create Conditional Access Policies within Microsoft 365

Want to enforce Multi Factor Authentication in Microsoft 365

Well, that is done by leveraging Conditional Access Policies within your Microsoft 365 tenant.

‍

What is a Conditional Access Policy?

This is basically a way to ensure that if a user in your business wants to access a resource, then it must comply with certain requirements. At its simplest they are basically if-than statements.  For example, if they want to use email then they must authenticate with multi factor authentication before access is granted.

‍

What Conditional Access Policies should I have?

There are several conditional access polices we recommend for every Microsoft 365 tenant. However, the ability to use such polices resides with the license level you have. If you haven't already read our blog on licensing, we recommend you do so, it can be found here. The reason we recommended Business Premium was because it also includes a Microsoft Entra ID P1 license within the package.  If you want to leverage any risk-based policies, you will need to add a Microsoft Entra ID P2 license.

‍

1. Require multifactor authentication for all users

2. Require multifactor authentication for Azure management

3. Require multifactor authentication for admins

4. Block legacy authentication

5. Block logins from specific locations (i.e., outside the US or your country of operation)

6. Require an App Protection Profile for iOS and Android

7. Require devices to be marked as compliant

‍

So how do I create a Conditional Access Policy?

1. Log into the Microsoft Entra admin portal

2. On the left navigate to the Protection and select Conditional Access

3. Select Policies directly under the Overview

4. Select New Policy

5. Give the Policy a name

6. Under assignments select the blue text under Users

7. Add those you want to include and/or exclude

8. Select the blue text under Target Resources

9. Add what the policy should apply to and then include and/or exclude any resources

10. Select the blue text under Conditions

11. Add any configurations needed

12. Select the blue text under Grant

13. Choose to grant or block access and any additional requirements

14. Select the blue text under Sessions

15. Choose any controls needed

16. Navigate to the very bottom where it says Enable Policy

17. Make sure you start your policy in Report Only

18. After a few weeks and a review of the logs you can then move to this to On.

‍

If you don't want to create the policies manually, Microsoft does have some prebuilt templates available. Instead of clicking New Policy select New Policy from Templates and follow the prompts.

‍

If you don't feel comfortable creating the polices reach out and we would be more than happy to help you put some in place at a reasonable price.

‍

‍