Blog

IT Insight: Microsoft 365 Conditional Access Policies

advanced it support

According to Microsoft, Conditional Access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional Access policies at their simplest are if/then statements. If a user wants to access a resource, then they must complete an action. Microsoft 365 Conditional Access policies define who is allowed to access what data through what applications and on what devices. For example, conditional access means a user must meet a certain set of criteria defined to access their email, access their SharePoint or OneDrive data, or to access any applications that default to single sign on turned on through MS 365.

Learn more about Conditional Access Policies by listening to our Tech Tuesday podcast!

Accessing data from company owned laptops and/or mobile devices, versus accessing data on a personal computer at home should have different security requirements. With a personal device at home, or in another location, two forms of multifactor authentication to access should be required such as an authenticator app on your phone, an SMS message, or an email to a secondary email to verify who you are and that you are accessing the data in a controlled manner.

From an operations side, a controlled environment is necessary. From a security standpoint, you can determine who has access to what information, i.e., Human Resources, Financial and Accounting, Technical, Sales, Remote Workforce, etc. A controlled information environment is a smart business decision.

There are multiple MS 365 plans, one of Microsoft’s best products that came out is the Microsoft Premium package with a cost of $22 per user per month with an annual commitment. Microsoft Basic, which is email only, includes access to Teams, OneDrive, and SharePoint, but most companies are on the Microsoft Standard, which includes Office and the email component, SharePoint, Teams, and OneDrive. These products do not include the policies of Microsoft Premium.

Policies should be enforceable and balanced. For example, session limits can be enabled to require MFA the first time a user logs in locally daily, weekly, or monthly at work. If you are out of the office, the policy may change to two-factor authentication more often when the device leaves the public IP address. For instance, if a device is taken out of the country, protect your data by requiring multi-factor authentication which will thwart international phishing attacks. Make it harder for attackers and you lower your risk on the platform to be attacked.

Everything in tech security is considered “trust but verify.”  A conscientious business owner will identify an administrative account to audit security policies. It is useful for compliance, liability, and for security and as an asset to your IT Manager. It is imminent to “inspect what you expect” and utilize a trusted source to verify resources and outcomes, such as an MSP or co-managed IT service provider to assist your internal IT Manager.

The top conditional access policies to consider are focused on the device that you’re using and include conditional access policies that work with mobile device management policies. If you’ve got sensitive data, you may allow employees to access it from a web browser on a personal machine using multifactor authentication, but you can set some standards for that device such as BitLocker encryption in case of theft, denying access to your company data. In the simplest form, policies relate to what device is connected, and then define where your device is connecting from, obviously ensuring that security groups defined have different access levels that are set.

With policies, security, risk assessment, and proper compliance in place, Microsoft 365 has also made transitioning from a typical server hardware environment where your files and applications are, to the 365 environments with software as a service in the Cloud.

Co-managed IT or Managed Services through PCG will enable you to meet your access policy goals and maintain a safe, secure environment. Start the New Year safe and secure! Trust PCGiT for all your network security needs!

JoAnn Hodgdon is vice president and co-founder of Portsmouth Computer Group (PCGiT) with her husband David.

PCG provides comprehensive managed IT services, business continuity, security, cloud computing and Virtual CIO services to their clients.

You can reach her at joann@pcgit.com or at www.pcgit.com.