The One Microsoft 365 Setting That Stops 90% of Credential Attacks. Most Irish SMEs Have Never Turned It On.

A member of your team has their Microsoft 365 password stolen. It happens in an infostealer infection on their home laptop, or in a phishing email they click at 11pm on a Wednesday. By Thursday morning, an attacker is logged into your Microsoft 365 tenant from an IP address in Eastern Europe, reading email, accessing SharePoint, and looking for anything useful.

Conditional Access would have stopped that login. The policy sees an unfamiliar location, an unmanaged device, and no compliant status — and it blocks access before the attacker gets in. Your team member gets a notification. You get an alert. The attacker gets nothing.

Conditional Access is included in Microsoft 365 Business Premium. The majority of Irish SMEs have never configured a single policy.

What Is Conditional Access?

Conditional Access is a Microsoft 365 feature that evaluates the context of every login attempt — who is logging in, from what device, from what location, at what time — and applies rules that determine whether that login is permitted, blocked, or required to complete additional verification.

It is the difference between a lock that only asks for a key and a lock that also checks whether you are standing in the right place, holding a recognised device, and arriving at a reasonable hour. A stolen password alone does not satisfy all of those conditions.

The Current Situation for Irish SMEs

• Microsoft reports that Conditional Access policies block over 90% of identity-based attacks when correctly configured [^1]
• The majority of Microsoft 365 Business Premium licences in Ireland are deployed without any Conditional Access policies — the feature is available but inactive
• Credential-based attacks are the leading initial access method in Irish incidents recorded by the NCSC Ireland, accounting for the majority of business email compromise cases [^2]
• Infostealer malware — which specifically targets Microsoft 365 session tokens and passwords — infected 5.8 million devices globally in the first half of 2025 alone
• Every Irish SME running Microsoft 365 without Conditional Access is relying on password strength and MFA alone — both of which have known bypass methods

The feature costs nothing additional for Business Premium subscribers. The gap between having access to it and using it is purely a configuration one.

Do you know whether your Microsoft 365 tenant has any Conditional Access policies active? Most business owners we speak to in Donegal and Sligo do not — and neither do their IT providers, in many cases. Book a free 20-minute strategy call — we can check your tenant configuration in the call.

What Conditional Access Actually Does

A correctly configured Conditional Access policy evaluates several signals simultaneously when a login is attempted. The location of the login — is this an IP address your business has seen before, or is it in a country you have never operated in? The device — is it a managed company device or an unknown personal machine? The compliance status — does the device meet your security requirements? The risk level — has Microsoft's threat intelligence flagged this login as suspicious based on patterns across billions of sign-ins globally?

The policy then takes an action. It might block the login outright. It might require the user to complete MFA. It might allow the login but restrict what the user can do — no downloading of files, for example, from an unmanaged device.

For a Letterkenny accountancy firm or a Donegal manufacturing company, the most impactful starting policies are straightforward. Block all logins from countries your business does not operate in. Require MFA for any login from outside your office network. Block logins from devices that are not enrolled in your device management system. These three policies, properly configured, eliminate the vast majority of the attack surface that credential theft exploits.

Why This Matters More Than MFA Alone

Multi-factor authentication is a necessary control — but it is not sufficient on its own, and Irish businesses need to understand why. Attackers have developed several methods to bypass standard MFA. MFA fatigue attacks bombard a user with approval requests until they click accept out of frustration. Session cookie theft, used by modern infostealers, captures the token that keeps a user logged in and replays it from a new device — bypassing MFA entirely because the attacker presents as an already-authenticated session. Adversary-in-the-middle phishing kits capture both passwords and MFA codes in real time.

Conditional Access addresses these bypass methods because it evaluates each session independently, not just the initial authentication. A session cookie replayed from an unknown device in an unexpected location will fail Conditional Access even if the original MFA was completed legitimately.

MFA is the lock on the door. Conditional Access is the security system that monitors everything that happens after the door is opened. Both are necessary. Most Irish SMEs in the Donegal and North-West region have only the first one.

What Next

1. Check whether Conditional Access is active in your tenant. Log into the Microsoft Entra admin centre (formerly Azure Active Directory) and navigate to Protection > Conditional Access. If there are no policies listed, none are active. This check takes two minutes.

2. Enable Microsoft's Security Defaults as an immediate baseline. If you have no policies, Microsoft's Security Defaults — a preconfigured set of basic policies — can be enabled with a single toggle. They are not a complete solution but they are significantly better than nothing and take under five minutes to activate.

3. Plan a proper policy review. Security Defaults are a starting point, not a strategy. A proper Conditional Access configuration tailored to your business — including named location policies, device compliance requirements, and risk-based sign-in policies — requires about half a day of work with someone who knows the platform. It is one of the highest-return security investments available to an Irish SME.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
• Your Business Password Is on the Dark Web. It Got There in 48 Hours.
• Privileged Access Management for Irish SMEs: Why Not Everyone Needs Admin Rights

[^1]: Microsoft — How Conditional Access Reduces Risk [^2]: NCSC Ireland — Advice for Organisations [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.