Frontrow Technology
← All insights & guides
Guide

Cyber — Conditional Access

Conditional Access policies every Australian Microsoft 365 tenant should run

Most Australian Microsoft 365 tenants run two or three Conditional Access policies. The recommended baseline is closer to ten. We walk through the ten policies Frontrow deploys for AU midmarket — what each does, why it matters, and the order to deploy them in.

Daniel Brown · Last reviewed 10 May 2026 · 10 min read

Microsoft Entra Conditional Access is the most consequential security control most Australian Microsoft 365 tenants own — and the most chronically under-deployed. Field experience: most AU midmarket tenants run two or three Conditional Access policies, often the Microsoft Security Defaults that came with the tenant or one custom 'require MFA' policy. The recommended baseline is closer to ten.

The policies below are what Frontrow deploys as the Australian midmarket baseline. Together they cover the Conditional Access expectations of Essential Eight ML2, the Privacy Act 2026 'reasonable steps' bar, and APRA CPS 234. Deploy in the order listed; each builds on the previous one.

Policy 1 — Block legacy authentication

Legacy authentication protocols (POP, IMAP, SMTP basic auth, older Office clients, ActiveSync without modern auth) cannot be challenged with MFA. They are the path attackers use most often after credential theft. The policy: block legacy auth across the entire tenant, with a sensible exception group for a small number of named legacy systems while migration completes. This is the single highest-leverage Conditional Access policy you'll ever deploy.

Policy 2 — Require MFA for all users

All cloud apps, all users, require MFA at sign-in. With named exclusions only for the documented break-glass accounts (which are monitored and tested monthly). Don't deploy as 'security defaults' — deploy as a Conditional Access policy you control and can audit.

Policy 3 — Require phishing-resistant MFA for privileged roles

Global Admin, Security Admin, Privileged Authentication Admin, User Admin, Exchange Admin, SharePoint Admin, Teams Admin, Application Admin — these accounts get FIDO2 or Windows Hello for Business or Authenticator passkeys, not SMS or phone MFA. Configured via the Authentication Strengths feature in Conditional Access.

Policy 4 — Block sign-in from non-AU geographies (with documented exceptions)

For most Australian businesses with no offshore staff, blocking sign-in from countries outside Australia and a small named travel list reduces attack surface materially. Implement as a 'block' policy with a named exception group for staff travelling internationally, who must request and get added before the trip. Combine with Conditional Access Continuous Access Evaluation so the block applies in real-time.

Policy 5 — Require compliant device for cloud apps

Cloud apps (Microsoft 365, all enterprise SaaS integrated to Entra) accessed only from devices marked compliant in Intune. Devices must be enrolled, encrypted, OS up to date, with EDR running. This single policy means a stolen unmanaged laptop with valid credentials cannot get into Microsoft 365.

Policy 6 — Block downloads to unmanaged devices via App Enforced Restrictions

For BYOD scenarios where MAM is in place but the device isn't fully enrolled, Conditional Access App Control via Defender for Cloud Apps applies session-level policies — block download, watermark, restrict to web access only. The user can read but can't bulk-extract content to a personal device.

Policy 7 — Risk-based sign-in challenge (Entra ID P2)

Entra ID Identity Protection assigns sign-in risk and user risk scores. Policy: medium-risk sign-in requires fresh MFA challenge; high-risk sign-in blocks. User-risk policy: high-risk user requires password reset before next sign-in. Requires Entra ID P2 (in M365 E5 or as add-on).

Policy 8 — Token persistence rules

By default, sign-in tokens persist for 90 days. For privileged roles and external-facing apps, reduce token lifetime and require re-authentication after 4–8 hours. This is the policy most operators forget and most auditors ask about.

Policy 9 — Service principal Conditional Access

Workload identities (service principals, apps that authenticate without a user) can be governed by Conditional Access in Entra ID P2. Lock down which service principals can call which APIs from which IP ranges. This is what Storm-0558 and Midnight Blizzard exploited; it's also what most AU tenants haven't enabled.

Policy 10 — Block specific high-risk apps and unblock specific low-risk patterns

Tenant-specific tail of policies for the apps and patterns unique to your environment — block consumer cloud storage, block unsanctioned AI tools, allow internal-IP-only access to sensitive admin apps. These are calibrated per tenant; the principle is that Conditional Access becomes the named choke point for any access decision the security team makes.

Deployment order matters

Don't deploy all ten on day one. The order: 1, 2, 3 first (legacy auth, MFA, phishing-resistant MFA for admins) — this gets you most of the way to Essential Eight ML1. Then 5, 6 (compliant devices, MAM) — this needs Intune to be deployed first. Then 4, 7, 8 (geography, risk-based, token lifetime). Then 9, 10 (workload identities, tenant-specific). The full rollout is typically 90 days for an Australian midmarket tenant; rushed rollouts produce policy conflicts that cause sign-in failures and erode trust.

What policy review looks like

Conditional Access policies aren't deploy-and-forget. Every policy needs a quarterly review: are the named exclusions still valid, is the exception group still small, are the new apps in the tenant covered. Microsoft's 'What If' tool lets you simulate sign-in scenarios before deploying changes — use it. The policy set is part of the quarterly board security pack.

Try it

Check the misconfiguration patterns

Companion tool covering the five Conditional Access misconfiguration patterns Frontrow finds in nearly every Australian tenant — including the report-only purgatory and weak break-glass.

10 questions · 5 domains

Conditional Access Misconfiguration Self-Check

The five Conditional Access failure patterns we find in nearly every AU tenant. Score yours against each one and see which fixes will move the needle. Pick the option closest to how your tenant is configured today.

Domain 1

Report-only purgatory

Whether new policies move out of report-only mode within a defined window, or stay there forever (and therefore enforce nothing).

  • What's the maximum time a Conditional Access policy stays in report-only mode before promotion or removal?

    Source: Microsoft Learn: Conditional Access policy report-only mode.

  • When was the last audit of which CA policies are in report-only versus enforced?

    Source: Microsoft Learn: Manage Microsoft Entra Conditional Access policies; Microsoft Sentinel CA workbook.

Domain 2

Break-glass account hygiene

Whether emergency access accounts exist, are excluded from every Conditional Access policy, are alerted on use, and are tested.

  • How many emergency access (break-glass) accounts does your tenant have?

    Source: Microsoft Learn: Manage emergency access accounts in Microsoft Entra ID.

  • When were the break-glass accounts last successfully tested?

    Source: Microsoft Learn: Manage emergency access accounts; ASD Essential Eight Maturity Model — Restrict Administrative Privileges.

Domain 3

Device compliance trust assumption

Whether 'require compliant device' policies actually require Intune compliance, or just check that the device is Entra-joined.

  • Where you have a 'require compliant device' Conditional Access policy, is there an Intune device compliance policy that actually evaluates compliance?

    Source: Microsoft Learn: Use compliance policies to set rules for devices you manage with Intune.

  • What proportion of devices accessing M365 are evaluated by an Intune compliance policy?

    Source: Microsoft Learn: Microsoft Intune device enrolment; App protection policies overview.

Domain 4

Location-based bypass scope

Whether 'trusted location' or 'corporate IP' bypasses are scoped narrowly, or applied tenant-wide such that any office IP exempts users from MFA.

  • Are any of your CA policies set to bypass MFA when the user is on a 'trusted location' (e.g. corporate office IP)?

    Source: Microsoft Learn: Using the location condition in a Conditional Access policy; Microsoft Zero Trust guidance.

  • How do you handle access from outside Australia for travelling staff?

    Source: Microsoft Learn: Configure named locations in Microsoft Entra ID; Microsoft Entra ID Protection risk policies.

Domain 5

Legacy authentication blocking

Whether legacy authentication protocols (basic auth on IMAP, POP, SMTP AUTH, MAPI) are blocked tenant-wide.

  • Is legacy authentication blocked at the Conditional Access layer?

    Source: Microsoft Learn: Block legacy authentication with Conditional Access; Microsoft retirement of basic authentication in Exchange Online.

  • Is SMTP AUTH enabled for any user mailboxes in your tenant?

    Source: Microsoft Learn: Authenticated SMTP submission in Exchange Online; Disable SMTP AUTH for the entire organisation.

This is an indicative self-assessment. It is not a substitute for a tenant-level Conditional Access review. For verified results Frontrow Technology runs an in-tenant CA policy review and produces a remediated policy set.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466