Last month, Microsoft announced via a blog post that Microsoft 365 Business subscriptions would now include Azure Active Directory (AD) Conditional Access policies. For those who don't know, Conditional Access policies were previously only available to Azure AD premium subscribers. The feature allows a tenant administrator to define policies about how an Azure AD user account may authenticate.

However, if you are not using Microsoft 365 and are still using the Office 365 plans, Conditional Access is still available to you albeit in a more limited fashion.

Logging into my own tenant as an administrator, heading to Azure AD and then Security, I can see the Conditional Access heading.

Conditional Access in Microsoft 365

Conditional Access in Microsoft 365

You can see I have several predefined (preview) policies to choose from, but the rest of the settings are grayed out, and a heading says I need an Azure AD Premium subscription. With the Azure AD subscription or Microsoft 365, you would have full access to Conditional Access, but let's take a quick look at these preview policies.

Conditional Access policies

Conditional Access policies

Block legacy authentication ^

This policy blocks all sign-ins using legacy authentication protocols that don't support multi-factor authentication (MFA), such as IMAP, POP, or SMTP. The policy does not block Exchange ActiveSync.

You may have seen some information recently recommending the disabling of basic authentication in Exchange Online. This took place via PowerShell, creating a new authentication policy for Exchange Online, and then applying the policy to your users. Here, we can accomplish the same result with a simple on or off button.

Disabling Basic or Legacy authentication really should be the default position.

Require MFA for admins ^

This policy requires MFA for certain directory roles. Again, rather than relying on manually enabling MFA for your admin accounts, enabling his policy will prompt those with any administrator role to enable MFA and block them from logging in until completing this.

End user protection ^

This policy protects users by requiring MFA during risky sign-in attempts to all applications. It blocks users with leaked credentials from signing in until a password reset.

Enabling the policy requires users to register for MFA within 14 days of their first login attempt. The default method of MFA registration is via the Microsoft Authenticator app.

Similar to the "Require MFA for admins" policy, this policy will encourage users to set up MFA on their accounts and insist upon it after 14 days. I have had some pushback from some of my clients about insisting they use MFA for their accounts.

The most common complaint is having to install an app on their personal phones, even if they do not want their work email on their phones. For these staff, we have compromised on either disabling all access to their accounts except MAPI or preferably having them receive an SMS code for authentication. It is also worth remembering that MFA can call you on a mobile or a desk phone.

Require MFA for Service Management ^

This policy requires users logging into services that rely on the Azure Resource Manager API to perform MFA.

This policy seems a little redundant to me since chances are, if you are logging into either the Azure Portal, Azure CLI, or PowerShell, you will be doing some sort of service administration. This would mean you were using an administrator account covered by a previous policy. However, I think that is more a reflection of my client base than actual use cases, as people who use Azure to manage web hosting or development may not be administrators of your tenant.

Subscribe to 4sysops newsletter!

Conclusion ^

Although these policies may seem limited when compared to what you get in the "full" Conditional Access policies, these are a very strong baseline to build on for your clients who may be small enough to be using only an Exchange Online license but still need the extra protection of enforcing MFA for admins or blocking legacy authentication mechanisms.

  1. paul gillespie 3 years ago

    It appears Conditional Access is not available to Business Essentials or Business Premium subscribers, only for Business.... any idea why?

  2. Just for clarity, Conditional Access is available with Microsoft 365 Business subscription. It is not available with Office 365 Business, Office 365 Business Premium or Office 365 Business Essentials subscription. This is just the way Microsoft has bundled their offering. Conditional Access is supported with Azure AD Premium subscription. Office 365 subscription comes with a free edition of Azure AD, which could be upgraded to Premium to get access to Conditional Acess feature 

  3. Eugene 2 years ago

    It looks like MFA for admins also enables the Block legacy authentication policy which you may not want to do if your environment is not ready for it.

  4. Darrell 2 years ago

    If you enable end-user protection baseline policy and want text, not the auth app, how do you change that?

  5. Dazwang 2 years ago

    How do you change the default from Auth app to text if you enable baseline end-user protection? We're going to have lots of complaints if we try and force an app on their personal devices. 

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account