Step-by-Step Guide: Setting Up Entra ID Conditional Access for Small Businesses

Understanding Conditional Access

Conditional Access is Microsoft’s Zero Trust policy engine that evaluates signals from users, devices, and locations to make automated access decisions and enforce organizational policies. Think of it as intelligent “if-then” statements: If a user wants to access a resource, then they must complete an action (like multifactor authentication).

For SMBs using Microsoft 365 Business Premium, Conditional Access provides enterprise-grade security without requiring complex infrastructure, protecting your organization from 99.9% of identity-based attacks.

Prerequisites

• License Requirements: Microsoft 365 Business Premium (includes Entra ID P1) or Microsoft 365 E3/E5
• Admin Role: Conditional Access Administrator or Global Administrator privileges
• Preparation: Ensure all users have registered for MFA before implementing policies
• Emergency Access Account: Create at least one break-glass account excluded from all policies

Phase 1: Initial Setup and Planning (Week 1)

Step 1: Turn Off Security Defaults

1. Navigate to Microsoft Entra admin center (entra.microsoft.com)
2. Go to Entra ID → Properties
3. Select Manage security defaults
4. Toggle Security defaults to Disabled
5. Select My organization is using Conditional Access as the reason
6. Click Save

Important: Only disable security defaults after you’re ready to create Conditional Access policies immediately.

Step 2: Create Emergency Access Accounts

1. Create two cloud-only accounts with complex passwords
2. Assign Global Administrator role to both accounts
3. Store credentials securely (separate locations)
4. Document these accounts for emergency use only
5. Exclude these accounts from ALL Conditional Access policies

Step 3: Access the Conditional Access Portal

1. Sign in to entra.microsoft.com
2. Navigate to Entra ID → Conditional Access
3. Select Policies to view the main dashboard

Phase 2: Create Baseline Policies (Week 1-2)

Policy 1: Require MFA for All Users

1. Click New policy from templates
2. Select Require multifactor authentication for all users template
3. Name your policy: “Baseline: MFA for All Users”
4. Under Assignments:
   • Users: All users
   • Exclude: Select your emergency access accounts
5. Under Target resources:
   • Select All resources (formerly ‘All cloud apps’)
6. Under Access controls → Grant:
   • Select Require multifactor authentication
7. Set Enable policy to Report-only
8. Click Create

Policy 2: Block Legacy Authentication

1. Click New policy from templates
2. Select Block legacy authentication template
3. Name your policy: “Security: Block Legacy Authentication”
4. Under Assignments:
   • Users: All users
   • Exclude: Emergency access accounts
5. Under Conditions → Client apps:
   • Configure: Yes
   • Select Exchange ActiveSync clients and Other clients
6. Under Access controls → Grant:
   • Select Block access
7. Set Enable policy to Report-only
8. Click Create

Policy 3: Require MFA for Administrators

1. Click New policy from templates
2. Select Require multifactor authentication for admins template
3. Name your policy: “Security: MFA for Admin Roles”
4. Under Assignments:
   • Users: Select users and groups
   • Select Directory roles
   • Choose all administrative roles
   • Exclude: Emergency access accounts
5. Under Access controls → Grant:
   • Select Require multifactor authentication
6. Set Enable policy to Report-only
7. Click Create

Phase 3: Testing and Validation (Week 2)

Step 1: Use the What If Tool

1. Navigate to Conditional Access → Policies → What If
2. Enter test scenarios:
   • Select a test user
   • Choose target applications
   • Set device platform and location
3. Click What If to see which policies would apply
4. Review both “Policies that will apply” and “Policies that will not apply”
5. Document results for each test scenario

Step 2: Monitor Report-Only Mode

1. Leave policies in Report-only mode for at least 7 days
2. Navigate to Entra ID → Sign-in logs
3. Filter by Conditional Access = Report-only
4. Review impacts:
   • Check for “Report-only: Success” entries
   • Investigate any “Report-only: Failure” entries
   • Look for “Report-only: User action required” entries
5. Address any issues before enforcement

Step 3: Pilot Testing

1. Create a pilot group with 5-10 users
2. Create a duplicate policy targeting only the pilot group
3. Set this pilot policy to On (enforced)
4. Monitor for 3-5 days
5. Gather feedback from pilot users
6. Address any issues identified

Phase 4: Production Deployment (Week 3)

Step 1: Enable Policies

1. After successful testing, return to each policy
2. Change Enable policy from Report-only to On
3. Start with one policy at a time
4. Wait 2-4 hours between enabling each policy
5. Monitor sign-in logs after each activation

Step 2: Communicate to Users

1. Send announcement email before enforcement
2. Include:
   • What’s changing and when
   • Why it’s important for security
   • What users need to do (register for MFA)
   • Support contact information
3. Provide MFA registration instructions
4. Schedule optional training sessions

Phase 5: Advanced Policies (Week 4+)

Optional: Require Compliant Devices

Only implement after basic policies are stable

1. Create new policy: “Security: Require Compliant Devices”
2. Target high-value applications first
3. Under Grant controls:
   • Select Require device to be marked as compliant
4. Test thoroughly before enforcement

Optional: Location-Based Access

1. Define trusted locations (office IP addresses)
2. Create policies based on location:
   • Block access from specific countries
   • Require MFA when not in trusted location

Troubleshooting Common Issues

Users Can’t Sign In

• Check sign-in logs for specific error messages
• Use What If tool to identify blocking policies
• Verify user has completed MFA registration
• Temporarily exclude user while investigating

Policy Not Applying

• Verify policy is set to “On” not “Report-only”
• Check assignment conditions match user scenario
• Review excluded users and groups
• Wait 1-2 hours for policy propagation

Emergency Rollback

1. Navigate to problematic policy
2. Set Enable policy to Off
3. Or exclude affected users temporarily
4. Document issue for resolution
5. Re-enable after fixing configuration

Training Resources

Microsoft Learn Modules (Free)

• Plan, Implement, and Administer Conditional Access – Comprehensive module with hands-on exercises
• Describe Access Management Capabilities – Beginner-friendly overview
• Get Started with Identity and Access Labs – Interactive labs for hands-on practice
• Perform Basic Identity and Access Tasks – Complete learning path for beginners

Documentation and Guides

• Practical Guide to Security Using Microsoft 365 Business – Comprehensive security guide for SMBs
• Security Checklist for Microsoft 365 Business Premium – Quick reference checklist
• Cybersecurity Playbook for Small Business – Visual guide for Zero Trust implementation
• Plan a Conditional Access Deployment – Microsoft’s official planning guide

Video Resources

• Microsoft 365 Getting Started Video Series – Video tutorials for SMBs
• Microsoft 365 Small Business Help on YouTube – Official Microsoft channel for small business

Best Practices Summary

• ✅ Always maintain emergency access accounts excluded from all policies
• ✅ Test every policy in Report-only mode for at least 7 days
• ✅ Use the What If tool before and after creating policies
• ✅ Start with Microsoft’s template policies – they represent best practices
• ✅ Document all policies and their business justification
• ✅ Monitor sign-in logs regularly for anomalies
• ✅ Communicate changes to users before enforcement
• ✅ Have a rollback plan for every policy
• ✅ Implement policies gradually, not all at once
• ✅ Review and update policies quarterly