This article was originally posted in the Microsoft 365 blog.
Over the past several months you’ve told us that adding Conditional Access to Microsoft 365 Business would help it secure SMB customers more comprehensively. Today, we are excited to announce the availability of Conditional Access for Microsoft 365 Business subscribers, enabling small and medium-sized businesses to enforce granular control on how company resources are accessed. Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.
Why is Conditional Access important?
Are you concerned that employees at your company can access sensitive business data from mobile phones and personal or home devices that have no oversight?
Are you concerned that employees are downloading company data to personal apps and storage locations that cannot be wiped when they leave?
Do you want to ensure that employees can only access your network from certain locations and block access from other locations?
Conditional Access helps you do exactly that! By configuring Conditional Access policies you can maintain control over how and where your company data is accessed, making your business more secure. You can define exact criteria for who can gain access and block those who don’t meet the criteria. The criteria can be based on factors like the type of device, app and location.
Benefits of Conditional Access
There was a time when it seemed like keeping business data behind a firewall in your office network and limiting access from the outside world was enough to protect your business. Today, company information is in the cloud and you need a way to provide employees with options to access it from a variety of locations and devices. Conditional Access enables Zero Trust security, helping you provide this access while maintaining control over “where, when and who” is connecting to your Office 365 environment; so you can protect company assets while also enabling employees to be productive from anywhere.
For example, you can define a Conditional Access policy that evaluates sign-in connections from mobile devices to Exchange Online, and requires employees use Outlook for iOS and Android to successfully access their work email and calendar. This gives your organization the security and productivity advantages of an email and calendar app built specifically for the Office 365 cloud.
Conditional Access and Azure Multi-Factor Authentication
Microsoft 365 Business includes advanced Azure Multi-Factor Authentication (MFA) capabilities that you can configure together with Conditional Access policies in order to gain additional assurance that account logins are made by the account’s legitimate owner. For example, you could create a single policy that requires MFA when someone accesses from a location that is not trusted (for example, a country in which you don’t do business in). This way, a user signing in from a known location can still gain access to company resources while a user signing in from an untrusted location will be required to verify their identity through MFA before getting access.
Enabling Conditional Access
Microsoft 365 Business customers can enable Conditional Access via the Azure Directory settings in the Azure portal. For more information on how to configure Conditional Access policies, please see the article What is Conditional Access.
Microsoft 365 Business: A comprehensive security solution for SMBs
With Microsoft 365 Business, you have access to a comprehensive security solution specifically designed and priced for organizations with less than 300 employees. Ever since the launch of Microsoft 365 Business in October 2017, we’ve been incorporating customer and partner feedback and evolving Microsoft 365 Business to meet the needs of a changing security landscape. For more information on the features available in Microsoft 365 Business, please refer to the Microsoft 365 Business Service Description
Frequently Asked Questions:
1. What features are included under Conditional Access in Microsoft 365 Business?
Conditional Access policies and configurations available to Microsoft 365 Business subscribers are the same as those available to Azure Active Directory Premium P1 subscribers.
- User targeting based on username, group and role
- Per app targeting
- By location – only allow access from trusted IP ranges or specific countries
- By app type – browser, desktop / mobile apps using modern auth and legacy authentication
- Require MFA
- Require compliant or domain joined device
- Require apps using Intune app protection
- Custom authentication factors (custom controls) – MFA with 3rd party MFA providers, (e.g. DUO or RSA)
2. Does this mean that Azure Active Directory Premium P1 is now included in Microsoft 365 Business?
No, Azure AD Premium P1 (AADP P1) is not included in Microsoft 365 Business. Microsoft 365 Business subscribers are entitled to the AADP P1 features most relevant to small and medium-sized businesses:
- Self-service password reset for hybrid Azure
- Azure Multi-factor Authentication
- Conditional Access
3. Is Conditional Access available to Office 365 Business Premium subscribers?
No, Conditional Access is not available to Office 365 Business Premium subscribers; it is a Microsoft 365 Business entitlement.
4. When will Conditional Access be available to Microsoft 365 Business Subscribers?
Conditional Access is already available for all Microsoft 365 Business subscribers. Customers can configure granular Conditional Access Policies via the Azure Active Directory Settings in the Azure Portal