1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

Glossary

Conditional Access

A Microsoft Entra ID feature that gates sign-ins based on context — user, location, device compliance, sign-in risk — and applies controls like MFA or block.

Conditional Access is the policy engine inside Microsoft Entra ID (formerly Azure AD) that decides what happens when a user tries to sign in. Each policy evaluates a set of signals — who the user is, where they’re connecting from, what device they’re using, how risky the sign-in looks — and applies a control: allow, require MFA, require a compliant device, or block.

It’s the layer that turns MFA from “on or off” into something context-aware.

A sensible baseline for Australian SMBs

  • Block legacy authentication — protocols like POP, IMAP, and SMTP basic auth bypass MFA. Turn them off.
  • Block sign-ins from outside AU/NZ unless the user has a travel exception in place. Cuts out the vast majority of opportunistic credential-stuffing.
  • Require MFA for all users, with phishing-resistant MFA for privileged roles.
  • Require a compliant (Intune-managed) device for administrative roles and access to sensitive applications.
  • Block or step-up high-risk sign-ins flagged by Entra ID Protection’s risk signals.

How Symsafe uses it

Conditional Access is the spine of Symsafe’s Microsoft 365 hardening work. Every managed tenant is configured against this baseline as part of the cybersecurity and Microsoft 365 engagements, with policy changes recorded through change management — no silent edits to production identity controls.

— Related services

← Back to glossary