What is Conditional Access?

Conditional Access is Microsoft Entra ID's policy engine. It evaluates every sign-in against a set of conditions — user identity, device state, location, and risk signals — and decides whether to allow, block, or require additional authentication. Properly configured, it's one of the most effective controls in Microsoft 365.

Can Conditional Access lock us out of our own accounts?

Yes, if misconfigured. That's why we deploy every policy in report-only mode first, analyse the impact against your actual sign-in logs, and maintain break-glass emergency access accounts before any enforcement. You will not be locked out of your tenant.

How long does a CA engagement take?

Discovery and design typically takes one week. Report-only monitoring runs for five to ten business days. Enforcement phasing takes a further one to two weeks depending on the policy complexity and your user population. Total engagement is typically four to six weeks.

Is Conditional Access included in our Microsoft 365 licence?

The core Conditional Access engine is included in Microsoft Entra ID P1, which is part of Microsoft 365 Business Premium and E3 licences. Risk-based policies (sign-in risk, user risk) require Entra ID P2 or Microsoft 365 E5. We review your licensing at the discovery stage.

Is CA configuration included in Fortify managed security?

Yes. Conditional Access policy design, deployment, and monthly review is part of every Fortify engagement. If you want a standalone CA audit or deployment, we offer it as a separate engagement.

Microsoft Entra · Conditional Access

Conditional Access. Trust nothing. Verify everything.

IronSights are Microsoft Entra Conditional Access specialists. We design, test, and enforce Zero Trust policies that stop credential-based attacks without locking out your workforce.

Conditional Access is the identity engine of Microsoft 365. Every sign-in evaluated against user, device, location, and risk signals — then allowed, blocked, or challenged. We configure it properly.

Assess our CA policies →Our methodology

Zero Trust policy design

Report-only before enforcement

No surprise lockouts

Our methodology

Report-only first. No surprise lockouts.

Bad Conditional Access policy design can lock users out of their accounts. We deploy every policy in report-only mode, analyse your real sign-in logs, and only then enforce.

Break-glass accounts maintained before any enforcement changes. You will never be locked out of your own tenant.

Discovery

Audit existing Conditional Access policies, sign-in logs, named locations, and device compliance state. Understand what's in place and what's missing.

Design

Design a complete policy set covering MFA, device compliance, location, sign-in risk, and privileged access — built around your user groups and application portfolio.

Report-only

Deploy all policies in report-only mode first. Analyse sign-in logs over 5–10 business days to identify legitimate traffic that would be blocked.

Enforce

Flip policies to enforcement mode in phases. Break-glass accounts maintained throughout. You will never be locked out of your own tenant.

What's included

Eight policies that close the gaps.

Designed around your user groups, device fleet, and application portfolio. Tested in report-only mode before a single policy goes live.

MFA for all users

The single highest-impact control in M365. Phishing-resistant MFA (authenticator app or FIDO2) enforced across every sign-in.

Legacy auth blocked

Protocols like SMTP AUTH, POP, and IMAP bypass MFA entirely. We block them — this alone stops a significant proportion of credential attacks.

Device compliance

Only Intune-enrolled, compliant devices can access corporate data. Unmanaged personal devices are blocked.

Named location policies

Access restricted or challenged from countries and IP ranges outside Australia. Tor and anonymising proxy access blocked.

Sign-in risk policies

Automatically challenge or block sign-ins flagged as risky: leaked credentials, atypical travel, anonymous IP.

Privileged access policies

Global Admin and privileged roles require FIDO2 or passwordless authentication. No admin work from unmanaged devices.

App-specific controls

Different conditions per application. Finance systems require compliant devices. Internal apps allow managed mobile.

Session controls

Enforce sign-in frequency, app-enforced restrictions, and continuous access evaluation to limit token theft impact.

Zero Trust via Entra ID

Microsoft Entra ID is the Zero Trust engine of Microsoft 365. Every sign-in evaluated against identity, device, location, and risk before access is granted. We configure the policies your environment actually needs.

Every sign-in evaluated in real time
Risk-based auto-block for compromised credentials
Just-in-time admin access via Privileged Identity Management
Break-glass accounts maintained pre-enforcement

View M365 Security→

Why most CA deployments fail

Most Conditional Access environments we review carry the same gaps: legacy authentication left open, exclusion groups that gut MFA, compliance policies stuck in report-only, or scope applied to the wrong users.

Legacy auth partially blocked (SMTP still open)
MFA exclusion groups too broad
Compliant device policy in report-only indefinitely
No break-glass account before enforcement
Admin accounts without PIM or FIDO2
Named location policies missing entirely

What you gain

Credentials stolen, but access denied.

Four concrete outcomes from every Conditional Access engagement, measured and maintained on an ongoing basis.

Credential attacks stopped

Stolen username and password pairs are no longer sufficient to access your environment. MFA enforcement and risk-based policies block the most common attack path.

Device trust enforced

Only managed, compliant devices can access corporate data. Personal and unmanaged devices are blocked at the identity layer — before they reach any application.

Risky sign-ins blocked

Microsoft Entra ID Protection evaluates every sign-in for risk signals. Leaked credentials, atypical travel, and anonymous IP access are automatically challenged or blocked.

Posture documented

Every policy documented with its rationale, exclusions, and maintenance notes. Your team has what they need to manage the environment confidently after handover.

Common questions

Conditional Access questions answered.

Not sure whether your current CA policies are doing their job? Contact us and we'll walk you through a no-obligation policy review.

Talk to a specialist →

What is Conditional Access?
Conditional Access is Microsoft Entra ID's policy engine. It evaluates every sign-in against a set of conditions — user identity, device state, location, and risk signals — and decides whether to allow, block, or require additional authentication. Properly configured, it's one of the most effective controls in Microsoft 365.
Can Conditional Access lock us out of our own accounts?
Yes, if misconfigured. That's why we deploy every policy in report-only mode first, analyse the impact against your actual sign-in logs, and maintain break-glass emergency access accounts before any enforcement. You will not be locked out of your tenant.
How long does a CA engagement take?
Discovery and design typically takes one week. Report-only monitoring runs for five to ten business days. Enforcement phasing takes a further one to two weeks depending on the policy complexity and your user population. Total engagement is typically four to six weeks.
Is Conditional Access included in our Microsoft 365 licence?
The core Conditional Access engine is included in Microsoft Entra ID P1, which is part of Microsoft 365 Business Premium and E3 licences. Risk-based policies (sign-in risk, user risk) require Entra ID P2 or Microsoft 365 E5. We review your licensing at the discovery stage.
Is CA configuration included in Fortify managed security?
Yes. Conditional Access policy design, deployment, and monthly review is part of every Fortify engagement. If you want a standalone CA audit or deployment, we offer it as a separate engagement.

Already have CA policies?

Let us check if they actually work.

Most Conditional Access deployments have gaps. Legacy auth partially blocked, exclusion groups undermining MFA, policies left in report-only. We find them before an attacker does.

Book a CA policy audit →