Conditional access for the SMB, a how-to guideAlex Fields
**This resource was updated 09/01/2019**
Unfortunately it is not yet possible to import CA policies from JSON, the way we can for Intune compliance policies or device profiles. Nevertheless, now that Conditional access is available to all Microsoft 365 Business customers, you will want a good roadmap for getting started.
I have created just such a resource, adapted from Microsoft’s own recommendations. However, in my version, I have removed any references to features that are only available in Azure AD Premium P2 (E5 plans). Additionally, I’ve corrected a couple of things that I think were errors in the Microsoft articles.
The literature defines two sets of custom policies: a recommended set (for every customer) and second set set which is a bit tighter, for sensitive or highly regulated businesses.
This literature will also be included with the updates to my Microsoft 365 Business Admin guide (coming soon).
*Spreadsheet design borrowed and adapted from Daniel Chronlund
Summary explanation of policies “for everyone:”
- BLOCK – Guest access to specific cloud apps: Guests should generally get access to resources in SharePoint, Teams, etc.–not All cloud apps.
- BLOCK – Foreign countries: This policy will block any sign-in attempts from countries outside of those from which the company does business.
- ALLOW – Require MFA in untrusted contexts: Devices which are not yet enrolled and compliant or coming from a corporate location will be caught by this policy and the user must perform MFA successfully to gain access.
- BLOCK – Legacy protocols: IMAP, POP, SMTP and other legacy client protocols will be blocked by this policy
- BLOCK – Exchange ActiveSync: Older email client apps that depend on EAS will be blocked by this policy. Use only if you are requiring mobile devices to use Modern authentication apps (Microsoft apps)
- ALLOW – Require approved apps for mobile devices: iOS and Android devices must use the Outlook app and other approved Microsoft applications to gain access to resources. Native mail app will be blocked.
- ALLOW – Require compliant PC devices: Windows and Mac devices must be enrolled and compliant with Intune policy in order to use modern apps such as Outlook and OneDrive.
Sensitive / highly regulated businesses:
- BLOCK – Unsupported device platforms: Prevents unsupported devices (e.g. Chromebooks) from connecting
- ALLOW – Always require MFA: Replaces the policy Require MFA in untrusted contexts. Users must always perform MFA to gain access to resources.
- ALLOW – Require MFA for guests: Enforces MFA for guest users
- ALLOW – Require compliant PC and mobile devices: Replaces the policy Require compliant PC devices; all devices must become enrolled to gain access via modern apps such as Outlook and OneDrive–mobile and desktop/laptop computer alike.
- SESSION – Block web downloads on unmanaged devices: Allows web browser access, but prevents unmanaged computers from downloading content over the web from SharePoint/OneDrive and Exchange Online.