Conditional Access, the good, the bad and the ugly

What do I mean by this? 

Conditional access is a powerful tool within the Microsoft 365 environment. Even when you implement just the basics it provides your tenant with a security baseline. There are some quirks and flaws that I’ll cover in this blog: 

  • The good: You can control the IF and THEN conditions. For example, IF an end-user tries to connect to from a non-compliant device, THEN it should prompt you for MFA. 
    There are a lot of other possible conditional access rules you could implement giving you more control about things as risky sign-in behaviour or the persistent browser mode. I cover this in my conditional access design guide blog: 
  • The bad: Is there anything bad about conditional Access? Yes, there is. When using compliant devices, your devices need to be compliant to pass the conditional access rule. So, you need a compliance policy. Again, not a problem. But for example, a while back there was a problem when you implemented the Bitlocker compliance check as a requirement for your devices being compliant. Simply because Microsoft 365 couldn’t always determine the state of Bitlocker or on your devices. 

Suddenly all your devices were marked non-compliant! Conditional access cut off your access to the company’s data at that point. Of course, there are some settings you can change to help mitigate problems like this. The option to mark the device as not compatible after a few days will ensure your users won’t immediately lose access to their files… Giving you some time to change the compliance requirements. As of right now this Bitlocker check is working correctly again. But you never know what will break next… 

In my opinion, it makes more sense if Microsoft would add the following option to the access controls in conditional access… Next to Hybrid Azure AD joined devices give us the option to also grant access to Azure AD joined devices!  

  • The ugly:  Imagine this scenario:  Your customer wants to migrate to Office365, but without compliant devices. You still want to protect their data. One of the conditional access rules you’ll probably implement is: blocking access from foreign countries. 

In my next blog, I will tell you about the ugly (curse) of the IPV6 Conditional access policy. 

Go and add my blog to your favorites blog sites! 


Using conditional access with compliant devices is the way to go. It’s the only way to put some barriers in front of your Office 365 tenant. But don’t get me wrong, there are definitely some improvements that Microsoft could make.  

Leave a Reply

Your email address will not be published. Required fields are marked *

3  +    =  11