How to Restrict Microsoft 365 Access by Location, Device and Risk Using Conditional Access Policies?

By Anjali Aravind April 28, 2026
Microsoft 365 Conditional Access policies to restrict access by location device and risk

In 2026, Multi-Factor Authentication (MFA) is mandatory for all Microsoft 365 users. However, while MFA is important, it does not prevent all unauthorized access situations.

User accounts can still be accessed from unfamiliar locations, personal devices that are not managed by your IT team, or during sign-ins that show unusual activity. These situations require stricter access control.

Conditional Access Policies, used along with MFA, control how and when access is granted. They give IT administrators direct control over access decisions.

With Conditional Access, you can set:

  • Who can sign in (specific users, roles, or groups)
  • Where access is allowed from (approved locations, countries, IP ranges)
  • Which devices can be used (company-managed or compliant devices only)
  • Under what risk conditions access is permitted (based on sign-in behaviour or user risk levels)

When these policies are properly configured, access is allowed only when the required conditions are met. This limits access to trusted users, devices, and locations within Microsoft 365.

This guide covers the steps to configure Conditional Access Policies in Microsoft 365 to control access based on location, device compliance, and risk conditions, keeping your business data secure.

Contents

Conditional Access Policies in Microsoft 365

Conditional Access is a feature of Microsoft Entra ID (formerly Azure Active Directory) that controls access to Microsoft 365 and connected applications based on specific conditions. It adds additional checks during sign-in by evaluating each access attempt.

When a user attempts to sign in, Conditional Access evaluates:

  • Who is signing in (user identity and group membership)
  • Where the sign-in is coming from (location and IP address)
  • What device is being used (devices approved by your organization or unmanaged devices)
  • Which application is being accessed
  • What level of risk is associated with the sign-in or user account

Based on these signals, Conditional Access enforces the selected action, such as allowing access, requiring MFA, requiring a device approved by your organization, or blocking access completely.

How Conditional Access Policies Are Organized

Each Conditional Access Policy has three main sections. These sections decide who the policy applies to, when it is triggered, and what action is taken.

Section What it means Example
Assignments Specifies who the policy applies to and which apps are included All users, selected groups, or guest users accessing Exchange Online
Conditions Specifies the situations that trigger the policy Sign-in from outside India, use of an unmanaged device, or high-risk sign-in
Access Controls Specifies the action taken when the conditions match Block access, require MFA, or allow access only from devices approved by your organization

Conditional Access Licensing in Microsoft 365 (2026)

Conditional Access Policies require the right Microsoft Entra ID licensing. The availability of features depends on the Microsoft 365 plan you are using.

Access controls Business Basic / Standard Business Premium E3 E5
Basic Conditional Access Policies Not included Included (Entra ID P1) Included (Entra ID P1) Included (Entra ID P2)
Location-Based Policies Not included Included Included Included
Device Control (with Intune) Not included Included Included (Intune add-on) Included
Sign-In Risk Policies (Identity Protection) Not included Not included Not included Included (Entra ID P2)
User Risk Policies (Identity Protection) Not included Not included Not included Included (Entra ID P2)
Continuous Access Evaluation Not included Included Included Included

Organizations using Microsoft 365 Business Basic or Standard do not have access to Conditional Access Policies. Business Premium is the minimum plan required to start using these policies.

What to Check Before Creating Conditional Access Policies?

Conditional Access Policies can control user sign-in access. An incorrect setup can block access for all users, including administrators. Before creating any policy, complete the steps below.

Step 1: Create an Emergency Access Account

An emergency access account (also known as a break-glass account) is a separate administrator account that is not included in any Conditional Access Policies. It is used only to restore access if other accounts are blocked.

Set up this account with the following:

  • Create a separate account with Global Administrator rights
  • Use a long, complex password and keep it in a secure offline location
  • Do not include this account in any Conditional Access Policy
  • Do not use this account for daily work
  • Track sign-ins to this account and set alerts for any usage
Important: Do not ignore this step. A single incorrect policy can block access for all users in Microsoft 365. This account is required to regain access.

Expert Tip: Always maintain an emergency access account. Even experienced administrators have blocked all users from Microsoft 365 due to a misconfigured policy. This account is your recovery option.


Step 2: Check Security Defaults and Existing Policies

Review all existing policies and check if Security Defaults is currently turned on.Before creating new policies, sign in to the Microsoft Entra admin center and go to Protection → Conditional Access → Policies.

Security Defaults and custom Conditional Access Policies cannot run together. If Security Defaults is turned on, turn it off before creating your own policies.

If you enabled Security Defaults earlier during MFA setup, refer to your previous setup guide for the steps followed at that time.

Important: Turning off Security Defaults does not lower security if you set up Conditional Access Policies immediately after. Avoid any gap between turning off Security Defaults and creating your first policy.


Step 3: Use Report-Only Mode First

Every new Conditional Access Policy should be created in Report-Only mode first. In this mode, the policy checks sign-in activity and records what would happen, without applying any action. Users are not blocked and no extra steps are required.

Keep each new policy in Report-Only mode for at least two weeks. Review the results in the sign-in logs underMicrosoft Entra ID → Monitoring → Sign-in logs.

After confirming the policy is targeting the correct users and conditions, switch the policy mode toOn.

Restrict Microsoft 365 Access Based on Location

Location-based Conditional Access policies control access to Microsoft 365 based on where a user signs in from. This is commonly used to reduce the risk of unauthorized access from countries or regions where your organization has no users.

Step 1: Set Named Locations

Named Locations are IP ranges or countries marked as trusted or untrusted in Microsoft Entra ID. Set these before creating the policy

Go to: entra.microsoft.com →Protection → Conditional Access → Named locations.

A. Countries (for blocking by country)
  • Click + Countries location
  • Enter a clear name (Example: High-Risk Countries)
  • Select countries where your organization has no users
  • Enable Include unknown countries and regions
  • Click Save

B. IP Ranges (for trusted office network)
  • Click + IP ranges location
  • Enter a clear name (Example: Corporate Office Network)
  • Add your organization’s public IP address or range
  • Select Mark as trusted location
  • Click Save

Expert Tip: Include unknown countries and regions in your high-risk list. Attackers often use VPNs or proxy services that do not map to a clear country.


Step 2: Create a Location-Based Block Policy

Go to:Protection → Conditional Access → Policies → + New policy
Assignments
  • Users: All users (exclude emergency access account)
  • Target resources: All cloud apps
  • Conditions → Locations: Include High-Risk Countries
Access Controls
  • Grant: Block access
Policy Mode
  • Start with Report-Only
  • Review sign-in logs after two weeks
  • Switch to On after confirming expected results

Expert Tip: If employees travel internationally, avoid blocking full countries. Instead, require MFA for sign-ins outside your main country and block only high-risk locations.


Step 3: Require MFA Outside the Office Network

This policy asks for MFA only when users sign in from outside the office network. Users inside the office network can access without repeated prompts.

Go to:Protection → Conditional Access → Policies → + New policy
Setting Configuration
Users All users (exclude emergency access account)
Target resources All cloud apps
Conditions → Locations Exclude Corporate Office Network (trusted IP range)
Grant Require multi-factor authentication
Session Sign-in frequency: 8 hours
Policy Mode Report-Only for two weeks, then On

Restrict Microsoft 365 Access Based on Device Requirements

Device-based policies allow access to Microsoft 365 only from devices approved by your organization. This prevents access from personal devices, outdated systems, or devices without required protections such as disk encryption or antivirus.

Device-based control also connects with Endpoint DLP, which monitors and restricts how sensitive files are used on user devices. For detailed setup, refer to your guide on Microsoft Data Loss Prevention (DLP).

Device-based policies require Microsoft Intune, available in Microsoft 365 Business Premium, E3, and E5.


Step 1: Set Device Requirements in Microsoft Intune

Before creating the policy, decide what is considered an approved device in Microsoft Intune.

Go to:intune.microsoft.com → Devices → Compliance policies → + Create policy

For Windows devices:

• Require BitLocker encryption
• Require Secure Boot enabled
• Require antivirus active and reporting to Microsoft Defender
• Set minimum OS version (Windows 10 21H2 or later)
• Set maximum non-compliant period: 1 day

For macOS devices:

• Require FileVault disk encryption
• Require firewall enabled
• Set minimum macOS versionFor macOS devices:
• Require FileVault disk encryption
• Require firewall enabled
• Set minimum macOS version

For iOS and Android devices:

• Require device lock (PIN or biometric)
• Block jailbroken or rooted devices
• Set minimum OS version

Expert Tip: Set a grace period of 3 to 7 days for new policies. This gives users time to update their devices before access is restricted.


Step 2: Add Devices to Microsoft Intune

Devices must be added to Microsoft Intune before they can be checked against company requirements.
Method Best suited for What happens
Microsoft Entra Join Organization-owned Windows devices Device connects directly to Microsoft Entra ID during setup or through system settings
Microsoft Entra Hybrid Join Devices already connected to on-premises Active Directory Device connects to both on-premises Active Directory and Entra ID
Microsoft Entra Registration Personal devices (BYOD) User adds their personal device with limited access control
Intune (iOS/Android) Mobile devices User installs the Intune Company Portal app and completes setup


Step 3: Create the Device-Based Conditional Access Policy

Go to:Protection → Conditional Access → Policies → + New policy
Setting Configuration
Users All users (exclude emergency access account)
Target resources All cloud apps or selected apps such as Exchange Online and SharePoint
Conditions → Device platforms Windows, macOS, iOS, Android
Grant Require device to meet company requirements
Alternative Grant Require Hybrid Azure AD joined device
Policy Mode Report-Only for two weeks, then On

Expert Tip: When this policy is first introduced, many devices may not be added to Intune. Use Report-Only mode to identify these devices and complete setup before switching the policy to On. Enabling it too early can block users on unmanaged devices immediately.

Managing Personal Devices (BYOD)

Organizations that support employees using personal devices for work need a separate policy. Blocking all unmanaged devices may not suit every business. Instead, access to Microsoft 365 from personal devices can be limited with specific restrictions.

For personal devices that are not added under full Microsoft Intune control, use App Protection Policies (also known as MAM without enrollment).

  • Require a PIN to open Microsoft 365 apps on personal devices
  • Restrict copy and paste between Microsoft 365 apps and personal apps
  • Allow removal of Microsoft 365 data without affecting personal data
  • Block saving Microsoft 365 files to personal storage such as personal OneDrive or Google Drive

Restrict Microsoft 365 Access Based on User and Sign-In Risk

Risk-based Conditional Access Policies use Microsoft Entra ID Protection to identify and respond to suspicious sign-in activity. This requires Microsoft 365 E5 or Entra ID P2 licensing.

Microsoft Entra ID Protection continuously reviews sign-in activity and assigns a risk level to each sign-in and user account based on patterns and behaviour.

Common Risk Signals
Risk signal Example
Impossible travel User signs in from India and then from the United States within one hour
Anonymous IP address Sign-in comes from a known proxy or VPN service
Leaked credentials User password is found in a known breach database
Malware-linked IP Sign-in comes from an IP linked to botnet or malware activity
Unfamiliar sign-in properties Sign-in from a new device, browser, or location not seen before
Password spray Multiple failed sign-in attempts across accounts from one IP


Step 1: Create a Sign-In Risk Policy

This policy adds extra checks when a specific sign-in is marked as risky, without affecting the full user account.

Microsoft Entra ID Protection continuously reviews sign-in activity and assigns a risk level to each sign-in and user account based on patterns and behaviour.

Go to:Protection → Conditional Access → Policies → + New policy

Setting Configuration
Users All users (exclude emergency access account)
Target resources All cloud apps
Conditions → Sign-in risk Medium and above
Grant Require multi-factor authentication
Session Sign-in frequency: Every time
Policy Mode Report-Only for two weeks, then On

Expert Tip: Start with Medium and above. Setting it too low can trigger frequent MFA prompts during normal usage. Review activity for a few weeks before adjusting.


Step 2: Create a User Risk Policy

This policy is triggered when a user account is flagged as at risk, not just a single sign-in.

Go to:Protection → Conditional Access → Policies → + New policy

Setting Configuration
Users All users (exclude emergency access account)
Target resources All cloud apps
Conditions → User risk High
Grant Require password change
Grant (additional) Require multi-factor authentication
Policy Mode Report-Only for two weeks, then On
When triggered, the user must complete MFA and change their password before access is granted again. This resets access quickly without waiting for manual action.

Expert Tip: Enable Self-Service Password Reset (SSPR) before using this policy. Without it, users may not be able to complete the password reset process on their own.


Step 3: Review Identity Protection Reports

After enabling these policies, review reports regularly in Microsoft Entra admin center.

Go to:entra.microsoft.com → Protection → Identity Protection

  • Risky sign-ins report – Shows sign-ins marked with risk levels and the reason
  • Risky users report – Shows user accounts currently marked as at risk
  • Risk detections report – Shows detected signals such as leaked credentials or impossible travel

Additional Conditional Access Policies for 2026

Additional Conditional Access Policies handle common security gaps not included in default settings. They control high-risk access points and add more control over access.


Block Legacy Authentication Protocols

Legacy authentication protocols such as POP3, IMAP, and SMTP Auth do not support MFA. Any account using these protocols cannot use MFA protection, making them a common entry point for attackers. In 2026, most organizations should block legacy authentication completely.

Blocking legacy authentication through Conditional Access controls access at the sign-in level. For email-level controls such as attachment filtering, impersonation detection, and outbound data protection, refer to your guide on Microsoft 365 mail flow rules.

Setting Details
Users All users (exclude emergency access account)
Target resources All cloud apps
Conditions → Client apps Exchange ActiveSync clients and Other clients
Grant Block access
Policy mode Report-Only for two weeks, then On

Expert Tip: Before blocking, use Report-Only mode and review sign-in logs filtered by client apps (Exchange ActiveSync and Other clients). This identifies systems like printers, scanners, or older applications still using these protocols. Update or replace them before enabling the block.


Require MFA for Administrator Accounts

Administrator accounts have higher access and are common targets for attacks. All administrator accounts should require MFA for every sign-in, regardless of location or device.
Setting Details
Users Select directory roles: Global Administrator, Exchange Administrator, SharePoint Administrator, User Administrator, and other privileged roles
Target resources All cloud apps
Grant Require multi-factor authentication
Session Sign-in frequency: Every time
Policy mode On (apply immediately)


Restrict Access for Guest and External Users

Guest accounts used for external collaboration with clients, vendors, or contractors should have limited access. A common setup requires MFA and limits access to selected applications.
Setting Details
Users Guest and external users
Target resources All cloud apps or selected apps approved for external use
Grant Require multi-factor authentication
Grant (additional) Require device to meet company requirements or require acceptance of terms of use
Policy mode Report-Only for two weeks, then On

Test, Monitor, and Maintain Conditional Access Policies

Test policies before enabling them, review sign-in activity regularly, and keep policies updated as changes happen. This keeps access controlled and avoids unexpected blocks.


Step 1: Use the What If Tool

Before switching any policy from Report-Only to On, use the What If tool in Microsoft Entra ID to check how policies apply to specific users and sign-in conditions.

Go to:entra.microsoft.com → Protection → Conditional Access → What If

  • Enter a specific user account
  • Set sign-in conditions (location, device platform, IP address)
  • Review which policies apply and the expected result
This gives a clear view of policy results before enabling them.


Step 2: Review Sign-In Logs

After policies are active, review sign-in logs regularly to track activity and identify unexpected blocks.

Go to:entra.microsoft.com → Monitoring → Sign-in logs

  • Filter by Status: Failure to find blocked sign-ins
  • Filter by Conditional Access: Failure to identify which policy caused the block
  • Check the Conditional Access tab in each record to see applied policies and results


Step 3: Set a Review Schedule

Conditional Access Policies need regular updates as your organization changes.
Situation What to do
New employee joining Confirm they are included in the correct groups and policies
Employee leaving Disable account and revoke active sessions
New application added Update existing policies or create a new one
New office location Add IP range as a trusted named location
Microsoft 365 plan upgrade Review new features and update policies
Every 6 months Review all policies, named locations, and device requirements

How Conditional Access Connects With Other Microsoft 365 Security Tools?

Conditional Access is part of the Microsoft 365 security setup. When used with other tools, it controls access and supports data protection for users, devices, and applications.
Security Tool What it does Connection with Conditional Access
Mandatory MFA Confirms user identity during sign-in Conditional Access sets when and how MFA is required based on location, device, and risk
Microsoft DLP Protects sensitive data from being shared or leaked Conditional Access limits access to data by restricting it to approved users and devices
Mail Flow Rules Controls and filters email at the transport level Conditional Access restricts unauthorized access to Exchange Online before email access begins
Conditional Access Controls access based on location, device, and risk Connects all tools by controlling access before any system or data is accessed

Microsoft 365 Security with Netstager Technologies

Creating individual Conditional Access Policies is manageable. Keeping policies aligned with changes in users, devices, and applications, and avoiding access issues, requires regular review.

In many cases, problems are linked to policies left in Report-Only mode, incorrect user or app selection, emergency access accounts not excluded, or policies not updated after changes.


After Setup: What Needs Regular Review

Even after policies are active, the following points need attention:
  • Policy overlap – New policies can override or interfere with existing ones
  • Licensing changes – Plan updates can change available controls
  • New applications – Each new app should be reviewed and added to policies
  • Guest access growth – External user access should be reviewed regularly
  • Regulatory requirements – Changes in GDPR, HIPAA, or local data rules may require updates

Netstager Technologies, an authorized Microsoft 365 partner in Kerala, manages Conditional Access from initial review through setup, testing, and ongoing updates.

Our Conditional Access Service Include

Security Baseline Assessment
Review of your Microsoft 365 tenant, existing policies, named locations, and licensing to identify gaps before new policies are created.
Policy Setup and Configuration
Creation of location-based, device-based, and risk-based policies aligned with your business needs, user groups, and Microsoft 365 plan.
Intune Device Setup and Requirements
Configuration of Microsoft Intune policies for Windows, macOS, iOS, and Android, including device setup and App Protection Policies for BYOD.
Testing and Validation
Policy testing using Report-Only mode, the What If tool, and sign-in logs before enabling policies. This prevents blocking valid users.
Ongoing Monitoring and Updates
Regular review of policy activity, sign-in logs, and Identity Protection reports, with updates based on changes in users, apps, locations, or Microsoft 365 plans.

To start, migrate, or maintain your Microsoft 365 setup, connect with Netstager Technologies.

+91 844 844 0112