Imagine you’re running a physical shop. Would you let just anyone walk into your storeroom? Or allow a stranger to take keys to your office? Probably not. Conditional Access Policies (CAPs) in Microsoft 365 are the digital equivalent of locking doors, checking IDs, and keeping everything running smoothly without unnecessary risks.
For SMEs, CAPs offer a smart way to secure your environment without micromanaging every single login or file. They adapt based on real-world scenarios: who’s logging in, where they are, and what they’re trying to access. The best part? They work silently in the background, keeping your business safe without disrupting your team’s day-to-day tasks.
Here are the top policies to start with, tailored for SMEs with technology responsibilities. Don’t worry if you’re not a technical wizard—this guide is written with you in mind.
Ensure every login requires two layers of verification to prevent unauthorised access.
Our Importance Rank: #1
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, or Azure AD Premium P1
Why It Matters:
Passwords alone just don’t cut it anymore. Cybercriminals are increasingly adept at stealing credentials, and one weak link in the chain can compromise your entire system. MFA adds a critical second layer of defiance, ensuring that even if a password is stolen, your business stays secure.
Example:
Require all users to verify logins with a mobile app, like Microsoft Authenticator. Exceptions can be made for office locations with a fixed IP address, but for remote access, MFA should be non-negotiable.
What It Means for You:
Post Deployment Advice:
Log in to Azure AD regularly to monitor MFA enrolment status and sign-in logs. If adoption is low or users are struggling, host a Q&A session or provide step-by-step guides. It’s also a great idea to run a simulated phishing campaign later to reinforce the importance of MFA.
Prevent unauthorised access by disabling outdated and insecure login methods.
Our Importance Rank: #2
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Legacy authentication protocols like IMAP, POP, and SMTP are like leaving the back door open to your digital office. They don’t support MFA and are easy targets for brute-force attacks. Blocking these protocols is one of the quickest ways to shut down a common threat vector.
Example:
Disable legacy authentication for all users, except for a few critical service accounts (if necessary). For example, older printers or applications that rely on SMTP might need exceptions.
What It Means for You:
Post-Deployment Advice:
After enabling this policy, watch for login failures in Azure AD sign-in logs. These will tell you if a user or service is still trying to connect via legacy protocols. Work proactively to migrate or replace any flagged systems. This policy often highlights forgotten systems—use it as an opportunity to modernise!
Limit access to critical data only from secure, compliant devices.
Our Importance Rank: #3
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, or Azure AD Premium P1
Why It Matters:
Not all devices are created equal. An unprotected device is a ticking time bomb for your sensitive business data. By requiring devices to meet compliance standards—like up-to-date antivirus or disk encryption—you ensure that only trusted tools can access your most critical files.
Example:
Set up a policy to restrict access to SharePoint and Teams for devices that don’t meet compliance standards. For instance, any laptop that isn’t encrypted or up-to-date will be denied access.
What It Means for You:
Post-Deployment Advice:
Monitor compliance reports in Intune to identify non-compliant devices. This policy might cause initial pushback if users struggle to meet the requirements, so ensure your helpdesk is ready to assist. Over time, review compliance standards to align with evolving threats—keeping your environment secure and adaptable.
Automatically block access when a login attempt looks suspicious.
Our Importance Rank: #4
License Required: Microsoft 365 E5 or Azure AD Premium P2
Why It Matters:
Microsoft’s AI-powered Identity Protection analyses login attempts and flags risky behaviour, such as logins from unfamiliar locations or devices. Blocking these attempts proactively prevents unauthorised access.
Example:
Enable a policy to block all high-risk sign-ins identified by Microsoft’s risk analysis engine.
What It Means for You:
Post-Deployment Advice:
Review risk detection logs in Azure AD weekly to understand how this policy is working. High-risk sign-ins could indicate attempted breaches or risky user behaviour (like weak passwords). Use these insights to strengthen related policies or educate users on better security practices.
Control what external users can see or do within your collaboration tools.
Our Importance Rank: #5
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5
Why It Matters:
Collaboration with external partners is essential, but it can be a security nightmare if left unchecked. This policy ensures that guest users only have access to what they need—and nothing more.
Example:
Allow external users to view files in a specific SharePoint site but block them from downloading content.
What It Means for You:
Post-Deployment Advice:
Periodically audit guest accounts to ensure permissions align with their roles. Remove inactive guests and restrict access further if unnecessary sharing is identified. Use Microsoft’s Secure Score to identify areas for improvement related to external sharing.
Make your admin accounts as tough to crack as Fort Knox.
Our Importance Rank: #6
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Admin accounts are the jackpot for attackers. A successful breach here doesn’t just open the door; it gives the intruder the keys to your entire digital fortress. Enforcing MFA for admins ensures that even if their password is somehow compromised, there’s still a second line of defence protecting your systems.
Example:
Enforce MFA for all global administrators, Exchange administrators, and SharePoint administrators. For example, admins could use Microsoft Authenticator or a hardware key like YubiKey for their second factor.
What It Means for You:
Post-Deployment Advice:
Regularly audit admin accounts to ensure compliance and spot unused or unnecessary roles. Unused admin accounts are like forgotten spare keys—they’re just waiting for trouble. Implement a process to remove access for users who no longer need admin privileges.
Shut the digital door on regions you don’t do business in.
Our Importance Rank: #7
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Cybercriminals often launch attacks from regions far away from your business operations. If you’re a New Zealand-based company with no dealings in Eastern Europe or South Asia, why leave the door open? Blocking sign-ins from countries you don’t operate in is a simple, effective way to reduce risk without affecting your team’s productivity.
Example:
Create a policy to allow sign-ins only from New Zealand and Australia, with exceptions for employees traveling internationally.
What It Means for You:
Post-Deployment Advice:
Regularly review sign-in logs in Azure AD to detect attempted access from blocked locations. If you notice frequent attempts from certain regions, consider implementing additional layers of security, such as IP whitelisting for known, trusted networks.
Log out idle users to stop threats before they start.
Our Importance Rank: #8
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5
Why It Matters:
We’ve all left something running—a car engine, a kettle, or a computer session. While forgetting the kettle is inconvenient, leaving a business session logged in can be catastrophic. Session timeouts ensure that idle users are logged out, preventing unauthorised access if someone walks away from their desk or forgets to close their browser.
Example:
Set a policy to log out users after 15 minutes of inactivity in web apps like Teams, SharePoint, and Outlook.
What It Means for You:
Post-Deployment Advice:
Gather feedback to strike the right balance between security and usability. For example, extending timeouts for certain roles or allowing users to resume sessions securely without a full re-login could improve satisfaction without sacrificing safety.
Deny entry to devices that are already compromised.
Our Importance Rank: #9
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Rooted or jailbroken devices are the digital equivalent of a house with all its locks broken. These devices bypass built-in security features, making them easy targets for malware and hackers. Allowing them into your business environment is like welcoming trouble with open arms.
Example:
Enable a policy to block any device flagged as jailbroken or rooted by Intune’s compliance checks.
What It Means for You:
Post-Deployment Advice:
Keep an eye on compliance reports to identify trends in flagged devices. If jailbroken devices are common among your users, it’s worth investigating why and providing alternatives—such as secure, company-issued devices for users who need more flexibility.
Keep your data flowing through safe and trusted channels.
Our Importance Rank: #10
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Not all apps are built with your security in mind. Some can be poorly secured, poorly designed, or outright malicious. By enforcing app-based restrictions, you ensure your sensitive data only travels through secure, approved channels. It’s like only allowing company drivers to transport your most valuable goods.
Example:
Block access to OneDrive unless users log in via the official Microsoft app, ensuring no unauthorised third-party apps can touch your files.
What It Means for You:
Post-Deployment Advice:
Audit app usage logs to ensure compliance and educate users on approved alternatives. If you identify heavily used, unapproved apps, evaluate whether they have secure replacements or if additional functionality is needed in your approved apps.
Turn stolen laptops into paperweights by enforcing encryption.
Our Importance Rank: #11
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5
Why It Matters:
If a device containing business data is lost or stolen, encryption ensures the data remains unreadable without the proper credentials. It’s like locking a treasure chest—you may lose the chest, but the gold inside stays safe.
Example:
Block access to business apps unless the user’s device is encrypted with BitLocker (Windows) or FileVault (Mac).
What It Means for You:
Post-Deployment Advice:
Regularly review compliance reports to ensure all devices meet encryption standards. Provide clear, easy-to-follow instructions for users to fix any non-compliance, and keep a policy in place for replacing devices that cannot be encrypted.
Draw a line in the sand between personal and professional.
Our Importance Rank: #12
License Required: Microsoft 365 Business Premium, Microsoft 365 E3
Why It Matters:
Personal devices are often the Wild West of security—unmonitored, unencrypted, and unprotected. Blocking these devices from accessing business resources ensures your company data only lives on systems you can control and secure.
Example:
Enforce a policy where only devices enrolled in Intune (your device management platform) can access business resources like SharePoint and Teams.
What It Means for You:
Post-Deployment Advice:
Run regular compliance audits to ensure no unauthorised devices gain access. Provide options for secure personal device use, like virtual desktop infrastructure (VDI) or remote access gateways.
Keep things open during working hours and lock them up after-hours.
Our Importance Rank: #13
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Most cyberattacks happen when no one’s watching—after hours or during holidays. Limiting access to your systems outside of business hours reduces the attack window, giving you greater peace of mind.
Example:
Create a policy that restricts access to 8 AM–6 PM, Monday to Friday, while allowing exceptions for authorised employees like IT staff or on-call teams.
What It Means for You:
Post-Deployment Advice:
Monitor sign-in logs to ensure the policy isn’t blocking legitimate business needs. Review access exceptions quarterly to confirm they’re still necessary, and remove expired approvals.
Make “I agree” work for your business, not just your apps.
Our Importance Rank: #14
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
Getting users to acknowledge your terms and conditions isn’t just good practice—it’s legal and organisational hygiene. Whether it’s a BYOD policy, an acceptable use agreement, or a new remote work framework, this ensures users are aware of their responsibilities.
Example:
Before accessing any M365 apps, users must agree to your company’s “Data Protection and Acceptable Use Policy.”
What It Means for You:
Post-Deployment Advice:
Track acknowledgment rates to ensure compliance. Update your terms as needed (e.g., for new compliance requirements or policy changes) and require reacceptance for major updates.
Keep your environment clean by blocking dodgy apps.
Our Importance Rank: #15
License Required: Microsoft 365 E3, Microsoft 365 E5, Azure AD Premium P1
Why It Matters:
High-risk applications are a major vector for cyberattacks. By blocking these apps, you can minimise potential vulnerabilities and ensure your team stays within secure, approved ecosystems.
Example:
Block access to unapproved third-party file-sharing apps while directing users to secure alternatives like OneDrive or SharePoint.
What It Means for You:
Post-Deployment Advice:
Monitor app usage logs for attempted access to blocked tools. Use this data to identify trends and educate users on why certain apps are restricted.
No compliance, no entry—it’s that simple.
Our Importance Rank: #16
License Required: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5
Why It Matters:
Devices that don’t meet your security standards are a liability. Requiring compliance ensures every device accessing your systems is secure, up-to-date, and capable of protecting sensitive information.
Example:
Block access to all M365 apps unless devices meet compliance checks for antivirus, OS version, and encryption.
What It Means for You:
Post-Deployment Advice:
Audit compliance reports regularly to ensure devices remain secure. Provide easy-to-follow resources for fixing common compliance issues, such as expired antivirus software or missing updates.
Strategy
Cybersecurity
Infrastructure
Support
Case studies
Insights
Strategy review
About us
Our team
Our values
Get in touch
Schedule a call
Find a local office
Copyright © 2024 Optimus Systems Limited. All Rights Reserved.
Privacy Policy
Company Terms
