Microsoft Entra Conditional Access: 8 Policies Every Texas SMB Needs in 2026

Out of the box, an Entra tenant accepts logins from anywhere in the world, on any device, with only a password and a single MFA factor (often SMS). After 2024-2025, that posture is indefensible. Adversary-in-the-middle phishing, push-bombing, and SIM swap attacks routinely defeat baseline MFA. Conditional Access closes those gaps.

Legacy auth protocols (IMAP, POP, SMTP AUTH, MAPI/HTTP, EWS) bypass MFA entirely. Modern attackers exploit them as a primary entry vector. Block them tenant-wide. Microsoft now blocks new tenants by default, but every tenant created before 2023 needs the explicit Conditional Access rule.

Yes, all of them. Service accounts get migrated to managed identities or certificate auth — never passwords without MFA. Break-glass accounts get stored hardware keys in a fireproof safe. Everyone else gets phishing-resistant MFA via Microsoft Authenticator with number matching, or hardware FIDO2.

Global Admin, Privileged Role Admin, Application Admin, Conditional Access Admin, Authentication Policy Admin, Helpdesk Admin, Security Admin, Privileged Authentication Admin — every privileged role requires FIDO2 or Windows Hello for Business, not push notifications. The cost is $40 per administrator and roughly 30 minutes of enrollment time. The benefit is immunity to AiTM phishing for the highest-value accounts in your tenant.

Even if an attacker captures a user's session cookie via AiTM, replaying it from an unmanaged device fails. This policy ties access to device posture managed by Intune. For Texas SMBs that already use Intune-managed M365 deployments, this policy is configuration-only — no additional licensing.

Most Texas SMBs do no business in Russia, North Korea, China, Iran, Belarus, or Cuba. Block sign-ins from those geographies entirely. Honest mistakes from a traveling employee are easier to handle than account compromise from a state-sponsored attacker.

Layered with Policy 3: privileged role activations require both FIDO2 and an Intune-compliant device. Combined, these two controls make administrator account takeover meaningfully harder for any attacker.

Entra ID Protection (P2 license tier) generates real-time risk scores per sign-in based on impossible travel, anonymous IP, malware-linked IP, password spray patterns, and leaked credentials. Block sign-ins flagged High Risk. For SMBs without P2, P1 still surfaces the signals — manual review of weekly risky sign-in reports is the workaround.

Default Entra session tokens are valid for 90 days. For most users that is far too long. Set sign-in frequency to 24 hours for general users, 4 hours for administrators on browsers, and require re-authentication on sensitive operations (password change, MFA registration, payment portal access).

• Forgetting break-glass accounts. Always exclude two cloud-only Global Admin accounts (with hardware keys stored offline) from every Conditional Access policy. If your CA configuration locks you out, you need a way back in.
• Not testing in report-only mode first. Every new policy should sit in Report-Only for 1-2 weeks. Review the sign-in logs to find legitimate users who would have been blocked.
• Excluding 'just one user' permanently. Temporary exceptions become permanent backdoors. Every exception gets an expiration date and a quarterly review.

1. Inventory privileged accounts and break-glass procedure
2. Deploy Policies 1, 2, 5 in Report-Only mode, monitor for 1 week
3. Convert to Enforce, then deploy Policies 3, 4, 6 for administrators
4. Deploy Policy 7 if you have P2; else schedule weekly risky sign-in review
5. Deploy Policy 8 last (most user-facing change)

For full-stack M365 hardening context, see our MFA bypass guide, our PAM service overview, and the 2026 Texas SMB Benchmark Report.

• Houston managed IT
• The Woodlands managed IT
• Sugar Land managed IT
• Katy managed IT
• Galveston managed IT