Many companies consider the topic of sign-in security closed the moment they turn on MFA. That is understandable, because the second factor really does block the vast majority of simple attacks on passwords. The problem is that attackers have learned to bypass the second factor on its own: through session hijacking, notification fatigue, or old protocols that MFA does not cover at all. Conditional access in Entra ID is the layer that closes these gaps, because it turns sign-in from a single gate into a decision based on context.

From a gate to a decision

A classic sign-in asks one question: do you know the password and the code. Conditional access adds more: who is signing in, from where, from what device, in what situation, and how risky it looks. Only on that basis does the system decide whether to let you in, let you in with extra verification, or block you.

In practice, a conditional access policy consists of two parts:

  • Conditions, that is when the rule should apply: a given group of users, an application, a location, a device type, or a level of risk.
  • Controls, that is what should happen then: requiring MFA, requiring a compliant device, limiting the session, or blocking access.

MFA answers the question of whether it is you. Conditional access answers the question of whether you are allowed in under these conditions. Only together do they form a sensible barrier, because they close routes that the second factor alone cannot see.

Policies worth starting with

You do not need to build dozens of rules straight away. A few basic ones close off the most real attack routes.

  1. Blocking legacy authentication. Old protocols such as IMAP, POP3 and SMTP AUTH do not understand MFA. Blocking them is a single change that closes the most common gap.
  2. Requiring a compliant device. Access to company data only from managed devices that meet policy, for example through Intune.
  3. Responding to sign-in risk. When Microsoft flags anomalies, for example a sign-in from an unusual location, the system requires extra verification or blocks the attempt.
  4. Phishing-resistant MFA for administrators. FIDO2 keys or Windows Hello instead of SMS codes for the accounts whose takeover hurts the most.

Watch out for locking yourself out

Conditional access is powerful, but that is exactly why you have to roll it out carefully. The most common mistake is a rule that is too broad and blocks everyone, including the administrator who created it.

  • Always leave an emergency administrative account exempt from restrictive policies.
  • Test new rules in report-only mode before you enable them in production.
  • Roll out in stages, on a chosen pilot group, rather than across the whole company at once.

These three principles save you a very unpleasant phone call in which the entire organisation suddenly cannot sign in.

Conditional access and Zero Trust

Conditional access is the practical realisation of the Zero Trust approach in the Microsoft world. Instead of assuming that someone is trusted just because they are on the company network, every sign-in is assessed separately, based on the current context. The network stops being the boundary of trust, and identity together with device health becomes that boundary instead.

This is a change that pairs well with monitoring what happens after sign-in. Signals from Microsoft Defender can feed the risk assessment, so a compromised account is sent for extra verification or blocking more quickly.

Summary

Conditional access does not replace MFA, it gives MFA meaning in the real world of attacks. It is what decides whether a sign-in with a stolen token from the other side of the world is stopped, or passes without a trace. The foundation of the whole thing is order in Entra ID, because without a clean base of accounts and devices even the best policy will be full of holes. If you want to roll out conditional access sensibly, without the risk of locking out your own team, we will help you design policies around how your company actually works. Start with a conversation about who signs in to your cloud today, from where, and from what.