Multi-factor authentication (MFA) proves users have something they know (password) and something they have (phone, passkey, or hardware token). Conditional Access adds context: where they sign in, which app, device compliance, and risk level.
Roll out MFA without rebellion
1. Pilot executives and IT first—fix helpdesk scripts.
2. Communicate why (customer trust, insurance, fraud) in plain language.
3. Prefer Microsoft Authenticator push approvals over SMS where possible.
4. Provide one office hour for phone upgrades and backup methods.
5. Enforce for admins before all staff if you need a phased path.
Conditional Access policies (starter set)
| Policy idea | Effect |
|---|---|
| Require MFA for all users | Baseline protection |
| Block legacy auth | Stops old clients bypassing MFA |
| Require compliant device for mail on mobile | BYOD control |
| Block sign-in from risky countries | If you have no business there |
| Require MFA for admins always | Stricter than general staff |
Policies target users, apps, and conditions. Test with report-only mode first to see who would be blocked.
Exceptions done safely
- Break-glass accounts excluded from policies but monitored and rarely used.
- Service accounts use modern auth certificates—not passwords on sticky notes.
- Kiosk or shared tablets may need dedicated policies, not disabled MFA globally.
Passkeys and passwordless
Microsoft supports Windows Hello, FIDO2 keys, and passkeys in Authenticator for passwordless sign-in—worth piloting for executives targeted by spear phishing.
Licensing
Conditional Access requires Entra ID P1 (included in Microsoft 365 Business Premium and E3/E5 bundles in common configurations). Verify your SKU before promising mobile app protection.
Implementation templates are a core partner service—contact for policy review workshops.
