Article
Most Microsoft 365 tenants have either too few conditional access policies or too many ineffective ones. The five baseline policies every mid-market tenant should run, in priority order.
Half the Microsoft 365 tenants we audit have one of two postures: too few conditional access policies (effectively trusting anyone with a valid password) or too many overlapping policies that nobody can reason about anymore. Neither posture is doing the work conditional access is supposed to do.
Conditional access is the single highest-leverage security control in a Microsoft 365 tenant. Five policies, configured well, do most of what the average mid-market business needs. This is the starter set we deploy on day one of a security baseline engagement.
Conditional access requires Entra ID P1 (formerly Azure AD Premium P1), which is included in Microsoft 365 Business Premium, E3, and E5. If you are on an E1 or Apps for Business plan, you do not have the right license to run these policies.
Policy 5 below requires Entra ID P2 specifically. The other four work with P1.
This is the foundation. Every user signing in from any device must complete a second factor.
The configuration:
The two common mistakes are leaving service accounts without MFA and forgetting to exclude break-glass accounts. Service accounts that cannot do interactive MFA should use certificate-based authentication or token-bound credentials, not password-only sign-in. Break-glass accounts (the two emergency admin accounts you keep for tenant lockout scenarios) should be excluded from the MFA policy and protected with FIDO2 keys stored physically.
Roll this out in report-only mode first for a week. Watch for sign-ins that would have been blocked. Then enforce.
Legacy auth is any protocol that does not support MFA: POP, IMAP, SMTP AUTH, older Outlook clients, anything pre-2018. Bots love legacy auth because it is just username and password.
The configuration:
Run report-only first because a meaningful share of tenants have at least one application using legacy auth (a third-party scanner, a line-of-business app, a mail copier). Identify those, fix or replace them, then enforce.
This single policy stops the vast majority of credential stuffing attacks against Microsoft 365 tenants.
Anyone signing in to a Global Administrator, Security Administrator, Exchange Administrator, or other privileged role must be on an Intune-managed and compliant device.
The configuration:
This forces administrative actions to happen from devices your team has visibility into. It also prevents the attack pattern where a compromised admin password gets used from an attacker’s machine to escalate privileges across the tenant.
If your admin team uses BYOD, this policy needs Intune compliance to be set up first, which is its own project. Plan for that.
Most mid-market businesses have employees in a known set of countries. Sign-ins from outside those countries should not be possible without explicit exceptions for travel.
The configuration:
The exception path: when employees travel to excluded countries, they request temporary inclusion in a “Travel” group that is excluded from this policy. The IT team sets a calendar reminder to remove them when they return.
This is a blunt instrument. It also stops a category of attacks that nothing else does for free.
Entra ID P2 includes Identity Protection, which scores every sign-in for risk based on factors like impossible travel, leaked credentials, atypical location, anonymous IP, and others.
The configuration:
The policy fires when a sign-in is scored as high-risk. The user has to complete MFA and reset their password before continuing. This catches credential compromise scenarios that would otherwise sail through standard MFA.
If you have P2, run this. If you do not, the other four still cover the major attack patterns.
The order matters because some of these policies can lock out administrators if rolled out wrong:
Each step is a few hours of work. The sequence takes two to four weeks if you account for testing and exceptions.
Skip the granular per-app policies until the baseline is solid. Skip session controls (token lifetime, sign-in frequency) until you have a specific reason. Skip device-state policies (compliance for all users, not just admins) until Intune is mature in your environment.
The pattern that works: get the five baseline policies running, prove they do not break the business, then layer additional controls on top as specific risks emerge.
The pattern that does not work: deploying twelve policies on day one, having three of them conflict with each other, and discovering the problem when the CFO cannot get into Outlook on a Monday.
— Continue reading
Microsoft 365's native retention policies are not a backup, despite what your team probably thinks. Three scenarios where you will find out the hard way, and what an actual backup looks like.
From Charlotte's financial district to the Research Triangle and Greenville's manufacturing corridor, businesses across North and South Carolina are putting AI to work. Here is what is actually happening on the ground.
Most Copilot rollouts skip the measurement step, which means nobody can tell whether the per-user license cost is paying back. A six-week plan with the metrics that matter, and the ones that look impressive but mean nothing.
— Related services
Practical Microsoft-stack security: identity hardening, endpoint protection, email and data security, and the documentation auditors actually ask for.
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
