Logo
CloudWithSingh
Back to all posts
M365
Security
Conditional Access
Entra ID
Microsoft 365

Microsoft 365 Security: Conditional Access Beyond Azure

Conditional Access isn't just for Azure resources. Here's how to protect your M365 environment with smart access policies.

Parveen Singh
December 28, 2025
5 min read

If you've implemented Conditional Access for Azure resources, you understand the power. But many organizations stop there — leaving their Microsoft 365 environment with weaker protection.

M365 apps like Exchange, SharePoint, and Teams hold your organization's most sensitive data. They deserve the same security attention as your Azure infrastructure.

Why M365 Needs Different Policies

Azure Conditional Access and M365 Conditional Access use the same engine — Entra ID. But the use cases differ:

Azure resources:

  • Accessed by admins and developers
  • Often from known, managed devices
  • Typically through Azure Portal or CLI

M365 apps:

  • Accessed by everyone in the organization
  • Often from personal devices and phones
  • Through web browsers, desktop apps, and mobile apps

One-size-fits-all policies don't work. You need policies tailored to how people actually use M365.

Essential M365 Conditional Access Policies

Policy 1: Require MFA for All M365 Apps

This should be your baseline. No exceptions for "it's just email."

Configuration:

  • Users: All users (exclude break-glass accounts)
  • Cloud apps: Office 365
  • Conditions: All client apps
  • Grant: Require multi-factor authentication

Why: Email is the number one attack vector. If an attacker gets credentials, MFA is your last defense.

Policy 2: Block Legacy Authentication

Legacy auth protocols (POP, IMAP, SMTP) don't support MFA. Attackers love them.

Configuration:

  • Users: All users
  • Cloud apps: Office 365
  • Conditions: Client apps → Exchange ActiveSync and Other clients
  • Grant: Block

Before enabling: Audit sign-in logs for legacy auth usage. You might have legacy applications or devices that need migration first.

Policy 3: Require Compliant Devices for Desktop Apps

For organizations with Intune, enforce device compliance:

Configuration:

  • Users: All users
  • Cloud apps: Office 365
  • Conditions: Device platforms → Windows, macOS
  • Grant: Require device to be marked as compliant

Why: Ensures corporate data is only accessed from managed, secure devices.

Policy 4: App Protection for Mobile

Not everyone has company phones. Use app protection policies instead of blocking mobile entirely:

Configuration:

  • Users: All users
  • Cloud apps: Office 365
  • Conditions: Device platforms → iOS, Android
  • Grant: Require app protection policy

Pair with: Intune App Protection Policies that enforce encryption, PIN, and prevent data leakage.

Policy 5: Location-Based Restrictions for Sensitive Apps

Restrict access to sensitive apps from untrusted locations:

Configuration:

  • Users: All users (or specific groups)
  • Cloud apps: SharePoint Online, Exchange Online
  • Conditions: Locations → Exclude trusted locations
  • Grant: Require MFA + Require compliant device

Named locations to define:

  • Office IP ranges
  • VPN exit points
  • Trusted partner locations

Policy 6: Block High-Risk Sign-ins

If you have Entra ID P2, use Identity Protection:

Configuration:

  • Users: All users
  • Cloud apps: All cloud apps (or Office 365)
  • Conditions: Sign-in risk → High
  • Grant: Block

For medium risk: Require MFA instead of blocking

Policy 7: Session Controls for Unmanaged Devices

Allow access but limit what users can do from personal devices:

Configuration:

  • Users: All users
  • Cloud apps: Office 365
  • Conditions: Filter for devices → Device not compliant and device not registered
  • Session: Use app enforced restrictions

Effect: Users can view but not download files from unmanaged devices (requires SharePoint and Exchange configuration).

M365-Specific Considerations

Teams

Teams is a gateway to SharePoint, OneDrive, and more. A policy on Teams indirectly protects all connected data.

Tip: Test Teams policies thoroughly. They affect meetings, chat, and file sharing differently.

Exchange Online

Email has unique challenges:

  • Mobile devices expect persistent connections
  • Outlook desktop caches credentials
  • Calendar sharing crosses organizational boundaries

Tip: Use the "Sign-in frequency" session control to force reauthentication periodically, even with cached credentials.

SharePoint and OneDrive

Control at the document level:

  • Unmanaged device restrictions (view-only)
  • Download blocking for sensitive sites
  • External sharing policies

Tip: Combine Conditional Access with SharePoint-specific settings for layered protection.

Implementation Strategy

Phase 1: Audit and Baseline (Week 1-2)

  1. Enable report-only mode for proposed policies
  2. Review sign-in logs for patterns
  3. Identify legacy auth users
  4. Document current device compliance rates

Phase 2: MFA Rollout (Week 3-4)

  1. Enable MFA for pilot group
  2. Communicate to users before enforcement
  3. Expand to all users
  4. Handle exceptions temporarily

Phase 3: Device Policies (Week 5-8)

  1. Deploy Intune device compliance policies
  2. Enable "require compliant device" for pilot
  3. Address devices falling out of compliance
  4. Expand enforcement

Phase 4: Advanced Controls (Week 9+)

  1. Implement risk-based policies
  2. Add session controls
  3. Enable location restrictions
  4. Continuous monitoring and refinement

Common Mistakes to Avoid

Locking Out Admins

Always have break-glass accounts excluded from all policies. Test thoroughly before enabling blocking policies.

Forgetting Service Accounts

Service accounts, room mailboxes, and automated processes might fail with new policies. Audit and create appropriate exclusions.

Too Aggressive Too Fast

Enabling everything at once causes help desk floods. Phase your rollout and communicate.

Not Testing Mobile

Policies that work on desktop may break mobile apps. Test on iOS and Android before enforcing.

Measuring Success

Track these metrics:

  • Sign-in success rate (should stay stable)
  • MFA adoption rate (should reach 100%)
  • Legacy auth sign-ins (should drop to zero)
  • Risky sign-ins blocked (should see blocks happening)
  • Help desk tickets (spike during rollout, then decline)

Beyond Conditional Access

Conditional Access is one layer. Complete M365 security includes:

  • Data Loss Prevention (DLP) policies
  • Microsoft Defender for Office 365
  • Sensitivity labels for documents
  • Audit logging and SIEM integration

But Conditional Access is the foundation. Get this right first.

Your users access M365 every day, from everywhere, on every device. That flexibility is a feature — and a risk. Smart Conditional Access policies let you keep the flexibility while managing the risk.

Start with MFA. Block legacy auth. Build from there.

Read Next

Azure
AVD

Implementing Conditional Access for Azure Virtual Desktop

A step-by-step guide to securing your AVD environment with Conditional Access policies that actually make sense.

Feb 3, 2026
Read
M365
Microsoft 365

Microsoft 365 Administration: The Skills Azure Engineers Overlook

Azure expertise is great, but ignoring M365 limits your career. Here's what you're missing.

Jan 15, 2026
Read
Azure
AI Foundry

Building AI Solutions with Azure AI Foundry and Copilot Studio

A hands-on technical guide to building production AI applications using Azure AI Foundry, prompt flows, and Copilot Studio.

Feb 1, 2026
Read