HomeWinBuzzer NewsMicrosoft to Implement Mandatory Conditional Access Policies for Microsoft 365 Users

Microsoft to Implement Mandatory Conditional Access Policies for Microsoft 365 Users

Microsoft is activating Conditional Access policies to enforce multifactor authentication (MFA) for specific Microsoft 365 licenses


has announced plans to activate Microsoft Entra ID Conditional Access policies for certain licenses. The imminent activation marks a significant step in Microsoft's commitment to bolstering the security landscape for its user base. Starting in February and extending into March, these policies will mandate multifactor authentication protocols, particularly for administrative portals, individual user cloud app licenses, and accounts identified as high-risk.

Policy Rollouts and IT Preparations

IT professionals are advised to examine these Entra ID policies in advance of their activation, to ensure alignment with organizational needs. Necessary alterations and deactivations should be completed ahead of the planned deployment period. Conditional Access policies are currently operational in a passive, “report-only mode” which allows organizations to observe potential policy impacts without enforcement. Transitioning from this consultative state, Microsoft will advance these policies into active enforcement stages.

Conditions and Customizations for Organizations

Despite a framework of enhanced security standards, Microsoft recognizes the diversity of organizational requirements, promoting granular control over these new security measures. Microsoft-managed Conditional Access policies are configured to offer a balance between recommended security practices and individual customization options. Notably, certain legacy protocols may still require support, and exceptions may be necessary for particular automated processes.

Alex Weinert, Vice President of Identity Security at Microsoft, has highlighted the effectiveness of multifactor authentication in curbing phishing attacks. Drawing from the success seen within consumer Microsoft accounts, where a more than 80 percent reduction in account compromises was observed, a similar approach is now being extended to corporate tenancies.

The initiative to deliver these Conditional Access policies was first discussed by Weinert in November, outlining the strategic implementation of security defaults. The future of Conditional Access policies includes combining machine learning-based insights with automated policy rollout to tailor security measures to specific organizational profiles. However, a timeline for these sophisticated customizations has not yet been disclosed.

As the activation date approaches, partners and businesses covered by Microsoft 365 E3, E5, and Business Premium plans must review and prepare for Microsoft's strategy to enforce these enhanced security measures, offering a proactive defense against sophisticated threats.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.