conditional access policies

In late 2023, Microsoft announced it would be rolling out automatic conditional access policies to users. In this blog, we’ll go over what Microsoft’s conditional access requirements mean, their impact, and how you can make sure your business is ready for the changes.

If you’re already using MFA, you won’t notice much of an impact, but you may need to make some changes. If you aren’t, you’ll need to take a few additional, quick steps to gain access to various things, like admin portals.

Why is Microsoft implementing conditional access policies?

Microsoft Entra, the security and access suite including products like Entra ID, formerly known as Azure Active Directory (AD), focuses on securing access everywhere. The Entra product family encompasses everything network access and identity in the Microsoft world. Microsoft’s ambitious (and in our opinion, necessary!) goal of achieving 100 percent MFA is what organizations need in the current cybersecurity landscape. Since Microsoft 365 will be affected by these changes, the majority of Microsoft users will be too.

This isn’t new for Microsoft, but it is new on the business side. On their blog, Microsoft confirmed, “Today, 100 percent of consumer Microsoft accounts older than 60 days have multifactor authentication—and it’s been this way for 10 years. We give accounts 60 days to meet this policy requirement, then we block sign-ins until the user adds a strong authentication factor.” After various strategies and attempts to replicate this success and get everyone in the commercial space on board with MFA, they’re taking a broad approach.

For the past few years, Microsoft has offered “on by default” MFA solutions to take the guesswork out of things for clients. This ensured that even if a business didn’t go through researching providers, engaging a vendor and implementing MFA, they would still have an extra layer of protection. Conditional access policies are the next step.

What do I need to do to be compliant?

Technically, there’s no action required. If you do nothing, Microsoft will roll out these conditional access policies automatically. These changes will take place behind the scenes. If you already have an MFA solution in place, these policies will be added in addition to that.

What if we already have MFA?

If you already have an MFA solution in place, Microsoft will still implement conditional access policies. They’re doing this on a large scale. This way, they don’t have to check every single business’s configurations to ensure that MFA is enabled. By automatically implementing it on the backend, Microsoft knows you have a solution in place if it’s needed.

Work with your IT partner to address how these changes impact your existing MFA configurations. The Microsoft-managed policies will need to be disabled, and accounts will need to be reviewed to ensure they all have MFA enabled. Ensure that you have a strategy for meeting the Microsoft requirements and communicating any access changes to your team. This will help your organization avoid losing productivity while gaining security.

Your IT partner can help ensure these are not disruptive, and that your preferred method of secure access takes precedence and continues to work seamlessly.

ADNET’s recommendation

ADNET has been an advocate of MFA for years. Microsoft’s conditional access policies take things a step further. This can be a great option for organizations that haven’t implemented MFA yet. Since multifactor authentication is a requirement for our clients, we encourage everyone to find the solution that’s right for them. If Microsoft’s new conditional access policies check the box for you, that’s great! We still recommend a third-party multifactor authentication tool, such as Duo, to create a true layered security approach.

Microsoft plans to continue adapting these policies as threats change. Their eventual goal is “to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls.”

Need help adjusting to these changes, or implementing an MFA solution? Reach out to us – we’re here to help.