Most small businesses turn on MFA and consider themselves protected. But MFA without Conditional Access leaves significant gaps that attackers actively exploit. Here's what you're missing — and how to fix it.
Why MFA is necessary but not sufficient
Multi-factor authentication (MFA) is one of the highest-impact security controls available to small businesses. Microsoft data consistently shows it blocks over 99% of automated credential attacks. If you haven't enabled it, that's the first thing to fix.
But MFA alone has a problem: it authenticates the user, not the context. Once a user's MFA challenge is satisfied, Microsoft 365 doesn't distinguish between that user signing in from their managed office laptop and the same user signing in from an anonymous proxy in Eastern Europe using an app that bypasses modern authentication.
Attackers know this. Techniques like adversary-in-the-middle (AiTM) phishing, token theft, and legacy protocol exploitation are specifically designed to get past MFA. They're not rare — they're the standard playbook for targeting Microsoft 365 tenants.
What Conditional Access actually does
Conditional Access is Microsoft's policy engine for controlling how and when users can access your Microsoft 365 environment. Instead of a binary "authenticated = allowed," Conditional Access evaluates a set of conditions before granting access — and can require additional controls, limit what's accessible, or block the request entirely.
Conditions you can evaluate: user identity and group membership, device compliance status (managed, compliant, or unmanaged), location (named location, country, IP range), application being accessed, sign-in risk level (based on Microsoft's threat intelligence), and client app type (modern authentication vs. legacy protocols).
Actions you can take: allow access, require MFA, require a compliant device, require a hybrid Azure AD join, limit session duration, restrict what the user can do within the app, or block access outright.
A basic Conditional Access setup for a small business might look like: require MFA for all users on all applications; block legacy authentication protocols entirely; block sign-ins from high-risk countries; require MFA with a compliant device for admin accounts. This is achievable in a Microsoft 365 Business Premium subscription and takes a few hours to configure correctly.
The gaps Conditional Access closes
Legacy protocol blocking. Many Microsoft 365 tenants still allow IMAP, POP3, and basic authentication — legacy protocols that don't support modern MFA. Attackers use these to bypass your MFA entirely. A single Conditional Access policy that blocks all legacy authentication clients eliminates this entire attack category.
Sign-in risk signals. Microsoft's identity protection evaluates each sign-in for risk signals — unfamiliar sign-in properties, impossible travel, leaked credentials, anonymous IP addresses. Without Conditional Access, a high-risk sign-in succeeds if the user passes MFA. With Conditional Access, high-risk sign-ins can trigger additional verification or be blocked entirely.
Admin account protection. Admin accounts need stronger controls than regular users. A Conditional Access policy requiring phishing-resistant MFA (hardware key or passkey) and a compliant device for any admin action is a meaningful security upgrade. Many small businesses have global admin accounts with only SMS-based MFA — a known weak link.
Unmanaged device access. Your employees' personal phones and home computers may access company email, SharePoint, and Teams. With Conditional Access, you can require that personal devices use Intune App Protection Policies before accessing company data — protecting the data without requiring full MDM enrollment of the personal device.
What you need to implement it
Conditional Access is available in Microsoft 365 Business Premium, Microsoft 365 E3/E5, and as a standalone Azure AD P1/P2 license. If you're on Microsoft 365 Business Basic or Business Standard, you'll need to upgrade or add licenses.
Microsoft 365 Business Premium is the right tier for most small businesses. At roughly $22/user/month, it includes Conditional Access, Intune device management, Defender for Business endpoint protection, and Azure AD P1 — the full security stack for SMBs.
Implementation requires planning. Poorly configured Conditional Access policies can lock users out of their accounts. Before enabling policies in production, use report-only mode to see what impact a policy would have without enforcing it. Test with a pilot group of non-admin users before rolling out broadly.
Intragreat designs and implements Conditional Access policies for small businesses as part of Microsoft 365 security engagements. We start with a review of your current tenant configuration, identify the highest-priority gaps, and implement policies in a controlled sequence that doesn't disrupt your business operations.
A practical starting point
If you're starting from scratch, here's a realistic priority order: First, verify that MFA is enabled for every user — including service accounts and shared mailboxes where applicable. Second, block all legacy authentication protocols. This single policy closes a significant attack surface with minimal user impact. Third, enable sign-in risk policies that require MFA or block sign-ins based on Microsoft's threat intelligence.
From there, build out device compliance policies using Intune, and strengthen admin account protections with Privileged Identity Management if you have Azure AD P2.
The goal isn't to implement every possible policy — it's to implement the right policies for your risk profile, in the right order, without creating operational disruption. That sequencing and judgment is where having an experienced Microsoft 365 partner makes the difference.