Upcoming Webinar > Cyber Security 2026 – The Path to Resilience for SMBs
  • Thursday, February 19, 2026
Contact
Microsoft CoPilot Logo over background of team working together in office setting.

MFA Isn’t Enough: How to Add Conditional Access the Right Way

Identity security for Microsoft 365

If you already have MFA, you are ahead of most attackers. But modern account takeover is no longer just “steal a password, log in.” Today’s playbooks focus on stealing tokens, tricking users into approving sign-ins, and abusing gaps in how access is granted. Conditional Access is how you close those gaps with smart, context-aware rules.

What you will walk away with

  • Why MFA is not enough and the most common ways attackers still get in.
  • A Conditional Access blueprint you can implement without locking out your team.
  • Phishing-resistant MFA plus device and location rules for real-world resilience.
  • A rollout plan using report-only testing, ring deployments, and metrics that prove progress.

Want Conditional Access that improves security without breaking sign-ins?

MSP Corp designs and deploys Conditional Access the way it should be done: staged rollout, measurable outcomes, and guardrails that keep your tenant usable. Start with a fast, practical assessment and a prioritized policy plan.

  • Policy blueprint aligned to Microsoft 365 and Entra best practices
  • Report-only testing and safe rollout to prevent lockouts
  • Coverage for admins, guests, BYOD, legacy auth, and risky sign-ins
Request a Quote

Why MFA isn’t enough anymore

Microsoft has long recommended MFA because it dramatically reduces account compromise when the attack is password-based. The problem is not that MFA is “bad.” The problem is that attackers adapted. They now aim to steal tokens, proxy the sign-in, or social-engineer the approval.

Microsoft Authenticator sign-in approval prompt on a smartphone
MFA prompts are often the last “human” control in the chain. Conditional Access adds the context and guardrails around that control.

Common MFA bypass paths we see in Microsoft 365 environments

Reality check: If your tenant accepts sign-ins from any device, any location, and any app, MFA becomes a single speed bump. Conditional Access is how you add the rest of the roadblocks.

  • Adversary-in-the-middle (AiTM) phishing: the attacker proxies a real login and steals the session cookie or token after MFA completes.
  • Device code phishing: the user is tricked into entering a device code, giving the attacker a token without ever seeing the victim’s password.
  • Token theft and replay: if a token is stolen, the attacker may not need to re-enter MFA until the session is revoked.
  • MFA fatigue / push bombing: users get spammed with approvals until one is accepted under pressure or confusion.
  • Legacy authentication: older protocols can bypass modern controls and are heavily used in spray and stuffing attacks.

This is why strong identity security is layered. MFA is the baseline, not the finish line. For incident readiness, pair access controls with a tested response plan, such as our Incident Response Plan Template (for SMBs).

What Conditional Access actually does

Microsoft Entra Conditional Access is a policy engine that evaluates context at sign-in and enforces rules like “require MFA,” “require a compliant device,” or “block access” when conditions are risky. In plain terms, it is a secure, flexible “if-this-then-that” system for access.

Simple definition: Conditional Access lets you decide who can access what, from where, on which devices, and with which authentication methods, then enforces that decision automatically.

Conditional Access is not a single policy

A mature setup is a small set of policies that work together, each one easy to understand and test. Think “seatbelts, airbags, and crumple zones,” not one giant rule that does everything.

Before you build policies: prerequisites that prevent lockouts

1) Confirm licensing and scope

Many Conditional Access capabilities require Microsoft Entra ID P1 (or higher) for users who benefit from the feature. Advanced risk-based controls (user risk and sign-in risk) require Entra ID Protection (typically Entra ID P2). If you are unsure what you have, review your licensing and identity roadmap before rollout.

2) Create emergency access (break-glass) accounts

Every tenant needs emergency access accounts that are protected, monitored, and excluded from Conditional Access policies that could lock out admins. This is one of the fastest ways to avoid a tenant-wide outage during a rollout.

3) Inventory your “who, what, where”

Conditional Access gets easier when you document the basics:

  • Who: admins, standard users, VIP users, contractors, guests, service accounts.
  • What: Microsoft 365, Azure portal, third-party SSO apps, legacy email clients, VPN, line-of-business apps.
  • Where: office networks, remote work, travel, partner sites, known risky geographies.
  • Device posture: corporate managed devices, BYOD, mobile device management (MDM) coverage, endpoints that must stay online.

If your Microsoft 365 environment is growing quickly, the operational side matters too. Use the Microsoft 365 Administration Checklist: Weekly, Monthly, Quarterly Tasks to keep identity and device hygiene from drifting over time.

The Conditional Access blueprint that works for most SMB and mid-market teams

Below is a practical set of policies that cover the majority of real-world attack paths while keeping user impact predictable. Implement them in report-only first, then roll out in rings.

Policy 1: Block legacy authentication

Applies to: All users (with careful exclusions) Apps: Exchange Online, Microsoft 365 Outcome: Block
  • Condition: client apps or authentication flows that use legacy protocols.
  • Control: block access.
  • Notes: validate any scanners, printers, or LOB apps first, then migrate them to modern auth methods.

Policy 2: Require MFA for all users, all cloud apps

Applies to: All users Apps: All cloud apps Outcome: Require MFA
  • Condition: any sign-in to cloud apps.
  • Control: require multi-factor authentication.
  • Notes: use strong registration hygiene and reduce approval fatigue (number matching, limited methods, training).

Policy 3: Require phishing-resistant MFA for privileged roles

Applies to: Admins and privileged groups Apps: Admin portals and sensitive apps Outcome: Strong auth required
  • Condition: admin portals, Azure, security tools, identity management.
  • Control: require “phishing-resistant” authentication strength (for example, FIDO2 or passkeys where feasible).
  • Notes: this is one of the highest ROI moves you can make for identity hardening.

Policy 4: Block high-risk sign-ins or force step-up

Applies to: All users (or prioritized groups) Apps: Microsoft 365 and critical SaaS Outcome: Block or require strong auth
  • Condition: sign-in risk or user risk thresholds (requires Entra ID Protection).
  • Control: block access, or require stronger authentication plus a password reset workflow.
  • Notes: tune thresholds with your SOC to avoid alert noise.

Policy 5: Require compliant or hybrid-joined devices for sensitive data

Applies to: Users accessing sensitive workloads Apps: SharePoint, OneDrive, Exchange Outcome: Compliant device required
  • Condition: access to sensitive apps or labeled sites.
  • Control: require device compliance, or limit session (browser-only, no downloads) for unmanaged endpoints.
  • Notes: pair this with mobile device management and baseline endpoint controls.

Policy 6: Control guest and external collaboration

Applies to: Guests and external users Apps: Teams, SharePoint, M365 Outcome: MFA required, limited access
  • Condition: external user access to collaboration workloads.
  • Control: require MFA or authentication strength; apply session limits where appropriate.
  • Notes: prevent “shadow guest access” from becoming a back door.

Policy 7: Restrict access by location, but do it carefully

Applies to: Admins and high-value groups Apps: Admin portals Outcome: Named locations, step-up MFA
  • Condition: unknown or untrusted network locations.
  • Control: require strong MFA, restrict access to trusted IPs for admin portals if practical.
  • Notes: focus on privileged roles first to avoid travel-related friction for all staff.

Policy 8: Reduce token risk with session controls

Applies to: High-risk apps and groups Apps: M365 web apps Outcome: Limits, reauth, controls
  • Condition: unmanaged devices, risky contexts, sensitive resources.
  • Control: set sign-in frequency where justified, limit persistent browser sessions, restrict downloads on unmanaged devices.
  • Notes: do not “set everything to short sessions.” Use risk and sensitivity to drive the rule.

What about AI and Copilot access?

AI features increase the value of a compromised identity because one account can expose far more information, faster. If you are rolling out Microsoft 365 Copilot, align identity rules with your data boundaries first. Use the Microsoft 365 Copilot Readiness Checklist (Data, Security, Licensing) and formalize ownership using AI Governance for IT Teams: RACI, Approvals, and Change Control.

Rollout plan: how to add Conditional Access without breaking work

Most Conditional Access failures are not “bad security ideas.” They are rollout mistakes. Use this staged plan to keep business impact low while you increase control.

1

Start with report-only policies

Build each policy in report-only mode so you can see impact before enforcement. Review sign-in logs and policy results daily during the rollout window.

2

Use rings: IT team, then power users, then everyone

Roll out to a small group first, then expand. Keep a simple rollback plan: disable policy, confirm recovery, then adjust and re-test.

3

Protect admins first

Privileged identities are the highest impact targets. Add phishing-resistant MFA for admins and tighten portal access early.

4

Block legacy authentication with a controlled exception process

Identify what still uses legacy auth, create a migration plan, then block. If you must allow an exception, make it time-bound and reviewed.

5

Add device rules next: compliant devices or limited sessions

Start by limiting unmanaged access to browser-only where appropriate, then move critical groups to compliant-only. This often pairs well with Managed Infrastructure Services.

6

Instrument and monitor

Track policy blocks, risky sign-ins, and user friction. If you have 24/7 coverage, ensure alerts get prioritized and acted on. If you are evaluating what coverage should include, read What’s Included in 24/7 IT Support (and What Isn’t).

7

Document the baseline and make ownership explicit

Conditional Access is not “set and forget.” Assign owners for policy changes, exceptions, and quarterly reviews. If IT responsibility is unclear or reactive, it may be time to re-evaluate your provider using When to Switch MSPs: 12 Red Flags and a Transition Checklist.

Misconfigurations that quietly weaken Conditional Access

  • One mega-policy: hard to troubleshoot, hard to roll back, easy to break.
  • Overusing location rules: IP ranges change, users travel, and “unknown locations” can create constant friction.
  • Allowing weak MFA methods for high-value access: step up to phishing-resistant methods for admins and sensitive apps.
  • Not revoking sessions after an incident: password resets alone do not always remove token-based access. Pair response with session revocation.
  • Ignoring guest access: external collaboration without guardrails becomes an identity blind spot.
  • Skipping governance: exceptions grow until policies stop meaning anything.

Operational tip: If you cannot confidently answer “who approved this exception and why,” the exception process is the risk. Tighten change control and align with your broader governance model.

How to measure whether Conditional Access is working

“No one complained” is not a security metric. Track a few simple indicators and review them monthly:

  • Legacy auth attempts blocked: should trend down as dependencies are removed.
  • Token-risk signals: suspicious session patterns, repeated prompts, unusual device registrations.
  • Admin protection coverage: percent of privileged users on phishing-resistant MFA.
  • Device posture coverage: percent of active endpoints that are compliant and managed.
  • Helpdesk friction: reductions in “MFA is broken” tickets after method cleanup and training.

How MSP Corp implements Conditional Access for Canadian organizations

MSP Corp’s approach is built for mature SMB and mid-market teams that need stronger security and less noise: clear policies, staged rollout, and operational follow-through. We typically run this as part of a broader cybersecurity program, aligned to Cybersecurity Services.

Our delivery model

  • Assessment: current state review, sign-in patterns, legacy dependencies, admin roles, guest exposure.
  • Policy design: blueprint mapped to your apps, devices, and risk tolerance.
  • Pilot and rollout: report-only testing, rings, user comms, rollback guardrails.
  • Operationalization: documentation, exception workflow, monitoring, quarterly reviews.

If you need hands-on execution, MSP Corp can lead the rollout end-to-end, or partner with your internal IT team through IT Consulting Services and IT Staff Augmentation. If you are moving to phishing-resistant methods like security keys and need help sourcing and standardizing them, we also support IT Procurement Services.

FAQ

Do we really need Conditional Access if we already have MFA?

Yes, if you want to reduce modern takeover paths like token theft, risky sign-ins, and unmanaged device access. Conditional Access adds context and enforcement around MFA, rather than relying on one control in isolation.

What is the safest place to start?

Start with report-only policies, protect admin roles with stronger authentication, and block legacy authentication once you have validated dependencies. Then add device-based controls for sensitive workloads.

Will Conditional Access slow down our users?

A well-designed setup usually improves the experience. Most users see fewer surprise prompts when authentication methods are cleaned up and rules are consistent. The key is targeting stronger controls where risk is higher, not forcing maximum friction everywhere.

What should we do after a suspected account takeover?

Containment usually requires more than password resets. You will often need to revoke sessions and validate MFA methods and mailbox rules. Use a documented response process like our Incident Response Plan Template (for SMBs) so the steps are repeatable under pressure.

How does this relate to cyber insurance and compliance?

Many frameworks and insurers expect strong access controls, especially for admin access and remote access. Conditional Access helps you demonstrate practical controls like MFA enforcement, device posture requirements, and blocked legacy authentication, with logs that can support evidence requests.

Get a Conditional Access policy plan you can trust

If IT feels reactive and security feels noisy, Conditional Access is a fast way to reduce risk and improve control. We will help you implement the right policies, in the right order, with the right guardrails.

Request a Quote

Sources and further reading

Stay in the Loop about IT News!

Subscribe to our newsletter and get the latest industry trends, expert tips, and actionable insights delivered straight to your inbox. Stay informed, stay competitive, and never miss an update!