New Year, New Lock: How Conditional Access Might Save Your Business

The Cybersecurity Cheat Code You Never Knew About

By now, I think we’ve all heard of multifactor authentication (MFA). You know, that thing that sends you a code to log into your accounts? Or maybe you use an authenticator app, which is even better. However you get those codes (and however annoying you find the whole process), MFA is the quickest, easiest cybersecurity tool to set up and protect all your online accounts today.

But what if I told you that MFA was just the beginning?

If MFA is the bouncer checking IDs at the door, conditional access is the private eye Betty hired to find her cheating husband. Sorta. Okay, not really, but I’m too deep into this analogy to stop now.

Basic MFA asks for an extra code before it grants access. If that code is spoofed, or if you’ve checked the dreaded “remember me on this device” box, it can be bypassed. Hackers don’t even need your login for this, they just need a browser session token, which is a whole other nightmare story. ^[1]

Conditional access looks for more than just a code. It looks at your usage history, at the rules put in place by your organization, and it asks further questions: ^[2]

• Who is signing in?
• Where are they?
• What device are they using, and have they used it before?
• How risky does this sign‑in look?

If everything looks normal, access is smooth. If you were just logged in on your work laptop at the office fifteen minutes ago and now you’re trying to log in from an iPad in Singapore, that’s a red flag, and the system can ask for MFA to prove it’s really you. If it looks too risky, the system can block access entirely.

Sometimes, you just forgot to turn off the VPN on your iPad. Sometimes, it’s not you trying to log in. The system won’t take that chance.

Conditional access marks a shift from “default allow” to “default deny,” which is the core of what we call Zero Trust. No one is trusted by default. Every sign‑in is validated. Every time.

Why Should Alberta Businesses Care?

Hybrid Work

The work landscape has changed. Remote and hybrid work is on the rise, and employees aren’t always at their desks anymore. Heck, I recently spent six hours shut in a broom closet to record voice-overs for a marketing video. And when I need to be in Medicine Hat for an event, I’ve found myself logging in to my laptop to make last-minute tweaks to a video or presentation. And yes, when I access my files at midnight from a hotel in Medicine Hat, when I normally work nine-to-five at the Drumheller office, the system raises a virtual eyebrow. And that’s good.

Having conditional access means that even if someone manages to steal an employee’s username and password, they’ll still find it hard to sign in if they’re using a new device in a strange place (which most hackers will).

The Cost of Downtime

I don’t know about you, but if we were hit by ransomware and our systems went down, it would cost us pretty dearly. And I’m not just talking about the thousands of dollars per hour that we’d lose by having business operations grind to a halt. It would also cost us our reputation. And as I’m sure you know, that’s everything. Once you lose client and community trust, it’s over.

Doesn’t it make more sense to stop the attack before it can happen?

Not Just About Logins

Another fundamental part of Zero Trust is a user’s level of access. Not every employee needs access to everything in your company; they only need the files, apps, and data required to do their job. Microsoft calls this least privilege, the least amount of permissions needed. ^[3] That way, if someone’s account is compromised (or worse, they themselves try to steal data) but they only have limited access to sensitive information, it’s not as critical as if they had the digital keys to the kingdom. Still bad, not as bad.

Many of our staff do not even have permission to install apps from the Microsoft Store, and need to get someone with higher privilege to approve it.

Role-Based Access

Conditional access can take things a step further by preventing access to files and applications that the user doesn’t need to use. For example, if a user is trying to access your payroll app, but they’re not in your finance department, the system can request MFA or block access. That’s suspicious. If the risk is deemed high enough, it can even require a secure password change for that account. ^[4]

Device-Based Access

If you want to tighten security even more, you can give a user access to said payroll app, but only if they’re using their work computer (a compliant device). ^[4] That way, if their account is compromised, the hacker still can’t access that sensitive app without using a managed company computer. And you can do this with any cloud app, from SharePoint to Teams, even OneDrive. Neat, huh?

I’m sure you can agree that being able to control access to company files, apps, and information based on an employee’s role within the company or the device they’re using is incredibly valuable for keeping you safe and secure.

Taking Things Even Further with Session Controls

I could go on about conditional access all day; there’s so much to talk about. But I won’t, I promise. There’s just one last thing I want to touch on, and that’s session controls for cloud apps.

Like many businesses, we use SharePoint to create a sort of internal internet (an intranet). We share files, naturally, but also post internal how-to articles, guides, policies, all sorts of things. Now, as long as I have permission to access a file, I can view and download that file to my work computer. No problem.

But what if I need to check something on my personal laptop at home? Not so easy.

We can configure our conditional access rules to prevent uploads and downloads on unmanaged devices, such as home computers. We can even limit access to data when using an unfamiliar device.

Or we could require users to re-authenticate regularly, say every 8 hours. ^[4] Then even if an intruder got in, they’d be kicked out and trigger an alert the next time they couldn’t authenticate. Did you know the average time an intruder sits undetected on a network is over 200 days? ^[5] That’s six and a half months. Session controls can be crucial for detecting threats sooner.

And if we really want to tighten security, we can make it so that every time you close your web browser and open a new one, you have to sign in again (no persistent browser sessions). ^[4] Remember what I said earlier about browser session tokens being a vulnerability? Not with session controls.

Final Thoughts: Who Is Conditional Access For?

Everyone. Every single business, no matter how small, should be using conditional access. Heck, if I had the ability, I’d use it for my personal devices at home. Being able to restrict access to accounts and information based on location, device, even which web browser you’re using is such a powerful cybersecurity tool.

For our managed IT clients, we do this already, and we work with you to tailor conditional access rules to your company’s unique needs. If you ever have any questions about your setup, just give us a call or reach out to your account manager. We’re always here.

For everyone else, we offer free cybersecurity consults to assess your needs, address chinks in your digital armour, and prescribe solutions. Every recommendation we make, from hardware to security posture, is based on decades of experience and your best interests.

Our mission is to empower businesses with reliable, forward-thinking technology that supports growth, efficiency, and security. Always.

Let’s change the world together.

Additional Resources

1. My Channel Was Deleted Last Night
2. Microsoft Entra Conditional Access: Zero Trust Policy Engine - Microsoft Entra ID | Microsoft Learn‍
3. Understanding least privilege with Microsoft Entra ID Governance | Microsoft Learn‍
4. Plan Your Microsoft Entra Conditional Access Deployment - Microsoft Entra ID | Microsoft Learn‍
5. What Is MTTD (Mean Time to Detect) in Cybersecurity