If someone told you that your Microsoft 365 environment lets anyone log in from any device, anywhere in the world, as long as they have the right password, would that concern you?
It should. Because unless you've specifically configured Conditional Access policies, that's exactly how your M365 tenant works.
Conditional Access is the security feature in Microsoft 365 that lets you control who can access what, from where, on which devices, and under what conditions. It's included in Business Premium and most enterprise licences, but the majority of Perth businesses we audit haven't turned it on.
This guide explains what Conditional Access does, why it matters, and what a Conditional Access consultant actually configures. In plain English.
What Conditional Access actually does
Think of Conditional Access as a bouncer at the door of your Microsoft 365 environment. Instead of letting everyone in who shows an ID (password), the bouncer also checks:
- Are you on a trusted device? Is this a company-managed laptop, or a random computer in an internet café?
- Where are you logging in from? Is this from Australia, or from a country where none of your staff have ever been?
- Have you passed MFA? Did you verify your identity with a second factor (phone, authenticator app)?
- What are you trying to access? Just email, or the finance SharePoint with all your client data?
- Is your device compliant? Is the operating system up to date? Is the hard drive encrypted? Is antivirus running?
Based on these signals, Conditional Access can allow access, block access, require additional verification, or limit what you can do (for example, allowing you to read email on a personal device but not download attachments).
Why most Perth businesses need it
Your password is not enough
Even with MFA enabled (which you should already have), there are scenarios where you want more control:
- A staff member's personal phone is stolen. It has the Microsoft Authenticator app and can approve MFA prompts.
- Someone logs in from an unmanaged personal laptop with no antivirus. They can now sync your entire OneDrive to an insecure device.
- A former contractor's device still has cached credentials and offline access to SharePoint files.
- An attacker uses a token-theft attack that bypasses traditional MFA.
Conditional Access addresses all of these scenarios.
Compliance and client requirements
If your business works with government clients, enterprise companies, or in regulated industries, you're increasingly being asked to demonstrate security controls. Conditional Access is one of the most commonly audited controls, and one of the easiest to evidence.
For businesses working towards Essential Eight maturity (the Australian Signals Directorate's cybersecurity framework), Conditional Access directly supports multiple controls including application control and restricting administrative privileges.
Insurance questionnaires
Cyber insurance applications now routinely ask whether you have Conditional Access policies in place. Having them configured can reduce your premium and strengthen your position if you ever need to make a claim.
What a Conditional Access consultant configures
Here's what we typically set up for Perth businesses. The exact policies depend on your size, industry, and risk profile, but these are the standard building blocks:
Baseline policies (every business should have these)
- Require MFA for all users. Every sign-in requires a second factor. No exceptions for "it's annoying."
- Block legacy authentication. Older email protocols (IMAP, POP3, SMTP) don't support MFA and are the most common entry point for attackers. Block them.
- Require MFA for admin actions. Any time someone accesses the admin portal or makes a configuration change, require fresh MFA, even if they've already authenticated.
- Block sign-ins from high-risk countries. If none of your staff work from Russia, China, or North Korea, block sign-ins from those locations entirely.
Device-based policies (for businesses with Intune)
- Require compliant devices for desktop apps. Only allow full Outlook, Teams, and OneDrive access from devices that are enrolled in Intune, encrypted, and running current updates.
- App protection on personal devices. Allow staff to access email and Teams on personal phones, but enforce encryption, prevent copy-paste of company data to personal apps, and enable remote wipe of company data only.
- Restrict unmanaged device access. Allow web-only access from unmanaged devices (no downloading, no syncing, no offline access).
Session-based policies (for sensitive data)
- Sign-in frequency. Require re-authentication every 8 hours for standard users, every 1 hour for admin accounts.
- Persistent browser sessions. Disable "keep me signed in" on shared or unmanaged devices.
- Continuous Access Evaluation. Revoke access in near real-time when conditions change (user disabled, location changes, risk detected).
Risk-based policies (for businesses with Entra ID P2)
- Block high-risk sign-ins. Microsoft's AI detects sign-in anomalies (impossible travel, anonymous proxies, malware-linked IPs) and blocks them automatically.
- Force password change on compromised credentials. If Microsoft detects that a user's credentials appear in a known breach, require an immediate password change.
Common mistakes we see
MFA but no Conditional Access. MFA on its own is good. MFA inside a Conditional Access policy is much better, because CA gives you the granularity to handle exceptions, enforce device compliance, and respond to risk signals.
Too many exclusions. "This policy applied to everyone... except the CEO who found it annoying, the marketing contractor who uses a Mac, and the receptionist on a shared PC." Every exclusion is a hole in your security posture.
No testing before deployment. Conditional Access policies can lock people out if misconfigured. Always test in report-only mode first, review the sign-in logs, and then enforce.
Copy-pasting policies from the internet. Every business is different. A policy that works for a 500-person enterprise will frustrate a 15-person trades business. The policies need to match your risk profile, your devices, and how your people actually work.
How long does it take to set up?
For a typical Perth SMB with Business Premium licences and Intune:
| Phase | Duration |
|---|---|
| Discovery and risk assessment | 2-3 hours |
| Policy design and documentation | 1 day |
| Report-only deployment and testing | 1-2 weeks |
| Full enforcement | 1 day |
| Staff communication and training | 1-2 hours |
Total elapsed time is usually 2-3 weeks, but the actual hands-on work is only a few days. The testing period is critical. You want to see how the policies interact with your real-world usage patterns before enforcing them.
What it costs
Conditional Access consulting is typically part of a broader M365 security hardening engagement. As a standalone project:
- Baseline CA policy setup (policies 1-4 above): $1,500-$2,500
- Full CA + Intune deployment (policies 1-10): $3,000-$6,000
- Enterprise CA with risk-based policies (all 12): $5,000-$10,000
These are one-off project costs. Ongoing monitoring and policy adjustments are included in our managed M365 support plans.
Do you need a consultant or can you DIY?
Microsoft has built some good wizards and templates into the Entra admin centre. If you're comfortable navigating the Microsoft 365 admin portal and you understand the implications of each policy, you can set up basic Conditional Access yourself.
Where a consultant adds value:
- Knowing which policies to apply and which to skip for your specific business
- Testing and validating that nothing breaks before enforcement
- Handling the edge cases: shared mailboxes, service accounts, guest users, legacy applications that don't support modern authentication
- Documenting everything so your policies can be audited, reviewed, and understood by whoever manages your environment next
Get started
We offer a free Microsoft 365 Security Assessment that includes a review of your current Conditional Access configuration (or lack thereof). You'll get a clear picture of where your gaps are and a prioritised list of what to fix first.
Book your free security assessment →
Learn more about our Modern Workplace consulting →
A Dark Cloud Creative is a Perth-based Microsoft 365 consultancy specialising in Conditional Access, security hardening, Intune device management, and ongoing managed M365 support for small businesses and growing teams.