In this blog post Conditional Access Mistakes That Put Microsoft 365 at Serious Risk we will look at the common configuration gaps that quietly expose Microsoft 365 environments, and what business leaders can do about them.
Most Microsoft 365 security problems do not start with a dramatic system failure. They start with something far more ordinary: a staff member signs in from a personal laptop, an old email app bypasses modern security, or an administrator account is excluded from protection because someone was worried about being locked out.
From the outside, everything still looks fine. Email works. Teams works. SharePoint works. But if Conditional Access is poorly designed, your Microsoft 365 tenant โ your organisationโs Microsoft cloud environment โ may be trusting the wrong people, the wrong devices, or the wrong sign-in methods.
What Conditional Access does in plain English
Conditional Access is a Microsoft Entra feature that controls who can access Microsoft 365, from where, on which device, and under what conditions. Microsoft Entra is the identity system behind Microsoft 365 โ it decides whether a user should be allowed to sign in.
Think of Conditional Access as the security guard at the front door. It asks practical questions: is this really your employee, are they using a safe device, are they in a risky location, and are they trying to access sensitive company data?
If the answer looks risky, Conditional Access can require multi-factor authentication, which is an extra sign-in check such as an app approval or security key. It can also block the sign-in, limit access, or require the device to meet company security standards through Microsoft Intune, which manages and secures company laptops, phones, and tablets.
Done well, Conditional Access reduces the chance of account takeover, data leakage, ransomware entry points, and compliance gaps. Done badly, it can create a false sense of security.
Mistake 1 Overconfidence because MFA is turned on
Many organisations believe they are safe because multi-factor authentication is enabled. That is a good start, but it is not the finish line.
The problem is that MFA can be applied unevenly. We often see tenants where office staff are prompted for MFA, but administrators, external guests, shared accounts, older mail protocols, or certain cloud apps are missed.
That gap matters. Attackers do not care that 90 percent of your users are protected. They only need the one account that is not.
For Australian organisations working toward Essential 8 alignment โ the Australian governmentโs cybersecurity framework that many organisations use to reduce cyber risk โ MFA is a key control. But the business outcome is bigger than ticking a compliance box. It is about making stolen passwords far less useful.
A practical question for leadership is simple: can your IT team show exactly which users, admin accounts, apps, and access methods are covered by MFA? If not, there is probably work to do.
Mistake 2 Excluding too many people from policies
Exceptions are where good security policies often go to die.
It usually starts with a reasonable request. A senior executive travels often and finds MFA annoying. A finance user has trouble accessing a legacy app. A contractor needs quick access. Someone adds an exclusion, intending to come back later.
Six months later, nobody remembers why the exclusion exists.
Exclusions are not automatically bad. Every tenant should have carefully controlled emergency access accounts, often called break-glass accounts, which are used only if normal administrator access fails. But these accounts should be heavily monitored, rarely used, and reviewed often.
The mistake is treating exclusions as convenience settings. If your CEO, CFO, IT admin, or external partner is excluded from Conditional Access, the business risk is higher, not lower. Those are exactly the accounts attackers would love to compromise.
At CloudProInc, we often recommend that exceptions have an owner, a business reason, an expiry date, and logging. If nobody can explain why an exception exists, it should be challenged.
Mistake 3 Ignoring unmanaged devices
A userโs password may be correct. Their MFA prompt may be approved. But what if they are signing in from a personal laptop full of browser extensions, saved passwords, and no security controls?
This is one of the most common gaps we see in mid-sized organisations. Staff access Microsoft 365 from home computers, contractor devices, personal phones, or old machines that were never enrolled into Intune.
Intune is Microsoftโs device management platform. In plain English, it helps confirm that a device is known, encrypted, patched, protected, and following company rules before it can access company data.
Conditional Access and Intune should work together. Conditional Access asks, โShould this user be allowed in?โ Intune helps answer, โIs this device safe enough?โ
We covered this in more depth in How Conditional Access and Intune Work Together to Protect Your Business, but the key point is simple: identity security without device control leaves a major opening.
For a 200-person business, unmanaged device access can turn into a data loss problem very quickly. One compromised home PC may expose email, OneDrive files, Teams chats, customer records, and finance documents.
If your organisation allows unmanaged devices, make sure it is a conscious business decision โ not an accidental default.
Mistake 4 Trusting locations too much
Some businesses still rely heavily on location-based rules. For example, they may trust sign-ins from the office network and apply stricter controls everywhere else.
This sounds logical, but it can be risky. Many staff now work from home, from client sites, from airports, and from mobile networks. Attackers can also use compromised devices, VPN services, or cloud infrastructure to make sign-ins look less suspicious.
Trusted locations can still be useful, but they should not be the foundation of your security model. A sign-in from the office should not automatically mean the user is safe. A sign-in from another country should not be ignored just because MFA was completed.
A stronger approach considers multiple signals together: user identity, device health, location, risk level, app sensitivity, and the type of authentication used. That gives the business better protection without blocking legitimate work.
The outcome is fewer blanket rules and fewer frustrating prompts, while still making life harder for attackers.
Mistake 5 Making policies too complicated to manage
Conditional Access is powerful, but it can become messy fast.
We have reviewed tenants with dozens of overlapping policies, unclear names, old test rules, undocumented exclusions, and no obvious owner. Nobody wanted to touch anything because nobody was sure what would break.
This is dangerous for two reasons. First, gaps become harder to find. Second, future changes become slower and more expensive because every update requires detective work.
A clean Conditional Access design should be understandable. Your IT team should be able to explain what each policy does, who it applies to, what risk it reduces, and what would happen if it were removed.
For most 50โ500 employee organisations, a practical set of policies usually covers administrator protection, MFA for users, unmanaged device control, guest access, risky sign-ins, legacy authentication blocking, and access to sensitive apps.
If your policies have grown organically over several years, it may be time for a structured review. Our Conditional Access Checklist for Microsoft 365 Tenants in 2026 is a useful starting point.
A real-world scenario we see often
A mid-sized professional services firm came to us after a security review raised concerns about Microsoft 365 access. They had MFA enabled and assumed the environment was in good shape.
When we looked closer, three issues stood out. Several administrators were excluded from Conditional Access. Contractors could access SharePoint from unmanaged personal devices. A legacy mail setting allowed older authentication methods that did not meet the companyโs current security expectations.
No single issue looked catastrophic on its own. Together, they created a realistic path for account compromise and data exposure.
The fix was not a huge rebuild. We cleaned up exclusions, introduced Intune compliance requirements for higher-risk access, blocked outdated access methods, tested policies in report-only mode before enforcement, and created a simple review process.
The business outcome was clear: reduced account takeover risk, stronger Essential 8 alignment, better visibility for leadership, and fewer unknowns for the IT team.
What business leaders should ask their IT provider
You do not need to configure Conditional Access yourself. But you should be able to ask good questions and get clear answers.
- Which users and administrator accounts are excluded from Conditional Access, and why?
- Are unmanaged personal devices allowed to access email, Teams, SharePoint, or OneDrive?
- Do we block older sign-in methods that bypass modern security controls?
- Are guest users and contractors covered by appropriate access rules?
- Do we test new policies before switching them on?
- How often are Conditional Access policies reviewed?
- Can we produce evidence to support Essential 8 or audit requirements?
If the answers are vague, that is a warning sign. Security should not depend on undocumented assumptions.
How to reduce the risk without disrupting staff
The best Conditional Access projects are careful and staged. Turning on aggressive policies overnight can lock people out and damage trust.
A safer approach is to assess the current tenant, identify gaps, test changes in report-only mode, communicate with affected users, and then enforce policies in stages. Report-only mode means Microsoft logs what would have happened without actually blocking users, which helps avoid surprises.
It is also worth reviewing related Microsoft 365 settings. Conditional Access is important, but it works best alongside Microsoft Defender, which helps detect and respond to threats, and Intune, which manages device security.
For organisations using Wiz for cloud security, Conditional Access should also form part of a broader view of identity, cloud exposure, and data risk. As a Microsoft Partner and Wiz Security Integrator, CloudProInc often helps clients connect these pieces so security is practical, not fragmented.
The bottom line
Conditional Access is one of the most important controls in Microsoft 365. But it is not a set-and-forget feature.
The biggest risks usually come from small mistakes: too many exclusions, unmanaged devices, overreliance on location rules, inconsistent MFA, and policies nobody has reviewed for years.
For CIOs, CTOs, IT managers, and business owners, the goal is not to make Microsoft 365 harder to use. The goal is to make sure the right people can access the right data from the right devices, while reducing the chance of a costly breach.
CloudProInc is based in Melbourne and works with organisations across Australia and internationally. With 20+ years of enterprise IT experience across Azure, Microsoft 365, Intune, Windows 365, Microsoft Defender, OpenAI, Claude, and Wiz, we take a hands-on approach to making cloud security understandable and workable.
If you are not sure whether your Conditional Access policies are protecting the business or just looking good on paper, we are happy to take a look โ no strings attached.
Discover more from CPI Consulting
Subscribe to get the latest posts sent to your email.