Beyond Basic 2FA

Basic 2FA asks for a code before granting access, which is great. But these codes can be spoofed or bypassed. Hackers don’t even need your login — just a session token. It’s disturbingly easy to get around basic 2FA.

Conditional access for Microsoft 365 is like 2FA’s big brother. It looks at your usage history and the rules set by your organization, and then asks further questions:

• Who is signing in?
• Where are they signing in from?
• What device are they using, and have they used it before?
• How risky does this sign-in appear?

If everything looks normal, you won’t even be prompted for a code. But if you suddenly log in from a new location or device, that’s suspicious. You’ll be prompted to authenticate or even blocked outright. Annoying? Maybe. Worth it? Absolutely.

Role-Based Access: Taking Security Further

We can go a step further with role-based access, blocking files or cloud apps that a user doesn’t need. For example, if someone tries to access your payroll app but isn’t in finance, that’s suspicious. You can require 2FA or block access entirely.

Being able to control who can access company files, apps, and data based on their job role, device, and location is extremely valuable. Even if credentials are stolen, an attacker will struggle to log in. And if they do, role-based access limits potential damage.

Building a Safer Mindset

The goal is to shift to a “default deny” mindset, where no one is trusted by default and every sign-in is validated. Conditional access and role-based controls make this possible, creating a safer environment for everyone.