Conditional Access becomes powerful when it's predictable and layered. Here's a baseline that works for most SMBs.
Policy 1: Require MFA for all users
- Include: all users
- Exclude: break-glass accounts (document + monitor)
Policy 2: Require MFA for admin roles (stronger controls)
- Target: privileged roles
- Add: "Require compliant device" if possible
Policy 3: Block legacy authentication
This stops many password-spray style attacks.
Policy 4: Require compliant device for SharePoint/OneDrive
If a device isn't managed, don't allow full data download.
Policy 5: Require compliant device for Microsoft admin portals
Protect the control plane.
Policy 6: Block sign-in from high-risk countries (optional)
Only if your business footprint is clear. Don't block legitimate travel without a process.
Policy 7: Session controls for unmanaged devices
Browser-only access, limit download, shorter sessions.
Policy 8: Require MFA registration + modern auth readiness
Make sure users can register MFA methods properly and don't "fall off the system."
Practical tips
- Roll out in report-only first (where available), then enforce
- Start with a small pilot group
- Always define "support process" before enforcing