Try this first
- 1Check your license: Conditional Access requires Entra ID P1 or higher (included in Microsoft 365 Business Premium and up). On Business Standard you only have Security Defaults.
- 2Start with one policy: 'MFA required for all users, except from trusted IP'. Usually enough for a SMB.
- 3Add: 'Block sign-in from countries where we do not operate'. Limit to e.g. NL, BE, DE. Vacation exceptions happen once every six months, manageable.
- 4Test in 'Report-only' mode first (Entra > Conditional Access > create policy > 'Report-only'). It logs what would happen without actually blocking.
- 5Only flip to 'On' after two weeks of Report-only without weird hits.
When to bring us in
Conditional Access can lock you out hard if you misconfigure, including admins. First-time setup is not a solo job. We deliver a baseline set of policies that works for 90% of SMBs.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.