Most organizations and businesses need a secure identity security process to protect themselves. For Managed Service Providers (MSPs) and IT professionals who cater to these tech-reliant clients, it’s crucial to provide security strategies that ensure protection without being too complex or costly. Keep reading to learn how you can help your clients choose from Conditional Access vs. MFA vs. security defaults.
Building a framework for selecting between various identity and access management tools
Strong identity protection is always important in business. However, not every organization requires the most advanced security tools. Depending on various factors, some may benefit more from simpler controls, while others require granular enforcement based on device, location, or user risk.
What is the difference between MFA, security defaults, and Conditional Access?
Before everything, ensure your clients understand the differences between security defaults, MFA, and Conditional Access.
| Option | Summary | Key features |
| Security defaults | A one-click, pre-configured baseline that automatically enables essential protections in Microsoft 365 tenants |
|
| Multi-Factor Authentication (MFA) | Enforcement of MFA on login for specific users or groups |
|
| Conditional Access (CA) | Advanced, contextual access control policies built into Azure AD Premium P1/P2 or Microsoft 365 Business Premium |
|
What are the strengths and trade-offs of each option?
To help clients decide what suits their business better, show them the pros and cons of all options. These should help set expectations early on.
| Feature | Security defaults | MFA | CA |
| Administrative overhead | Very low | Moderate (per-user configuration) | High (policy design needed) |
| Granularity | None | Minimal | Very high |
| Flexibility | None | Low | High |
| Licensing | Free | Free | Requires P1/P2 or M365 BP |
Assess client readiness and risk
You must also evaluate your client’s unique environment before recommending any option to ensure the chosen solution fits their operational needs and business goals.
Here are some key questions to ask:
- Do they have regulatory and compliance requirements?
Industries like healthcare, finance, and government often have strict mandates, such as HIPAA, PCI-DSS, and ISO 27001. Conditional Access may be more suited here, as it enables risk-based enforcement and provides stronger reporting and auditing capabilities.
- Does their workforce include remote users, BYOD policies, or guest access?
A small, office-based team may do well with security defaults. However, clients may need more complex security tools to ensure protection if their employees work remotely, use their own devices (BYOD), or collaborate frequently with guests or partners.
- Do they already have Microsoft 365 Business Premium or E5?
Clients with Microsoft 365 Business Premium or E5 can access advanced security features like Conditional Access and built-in MFA without purchasing additional licences for more granular control.
- Is user friction a top concern?
Security defaults are easier to enable, but don’t allow exceptions or nuanced policies, which can frustrate users. MFA may slow down access, but most users will get used to it over time. Conditional Access can further reduce friction by only prompting MFA when needed.
Implementation pathway
It’s always good to approach this task in phases to balance security and control.
Phase 1: Start with security defaults.
Security defaults allow admins to enable MFA for all users and block legacy authentication with a single toggle. This suits small businesses, startups, or new Microsoft 365 tenants.
Phase 2: Move to per-user MFA.
If defaults aren’t enough, selective MFA enforcement can offer more targeted protection for high-risk users, such as admin accounts and those in the finance team. However, monitoring for drift and missed accounts is crucial, as manual configuration can lead to inconsistent enforcement.
Phase 3: Graduate to Conditional Access.
Conditional Access is best for larger organizations, regulated industries, and remote-first teams. It offers context-aware security that adapts to user behavior and perceived risks. It can:
- Enforce MFA only when needed (e.g., when users log in from unknown locations)
- Block access to sensitive data from unmanaged or non-compliant devices
- Require strong authentication methods (e.g., FIDO2 keys, Windows Hello)
Avoiding common pitfalls
There’s always the risk of misconfiguring identity security, which can reduce protection, lock out users from their accounts, and cause administrative issues. Here are two common mistakes you should avoid.
- Do not combine per-user MFA with Conditional Access.
When moving to CA, disable per-user MFA first. This is because when both are active, conflicts might occur, such as:
- Users being prompted for MFA twice
- CA policies being overriden or ignored
- Difficulty troubleshooting access issues
- Always configure a “break-glass” account.
A break-glass account is a highly secure emergency admin account excluded from all CA and MFA policies. It can be used when standard access methods fail. This account can prevent complete lockouts and ensure IT admins can regain control and fix issues without using external recovery methods. Just make sure to protect the account with phishing-resistant authentication (e.g., FIDO2 key, smart card).
Communication framework for clients
Explaining these concepts properly to clients is essential, especially when talking to those without deep technical backgrounds. Here are some tips to help you communicate better with clients without overwhelming them with jargon.
- Frame MFA as the seatbelt.
Explain how MFA blocks 99.9% of account compromise attempts, like how seatbelts protect drivers in a car crash.
- Frame CA as the GPS.
A GPS adjusts its suggested route based on traffic and location. Conditional Access policies also adapt protection features based on who’s logging in, from where, and on what device.
- Frame security defaults as the factory lock system.
This one-click setup offers immediate protection, just like the default lock system on a new car.
NinjaOne integration ideas
While NinjaOne doesn’t manage identity policies directly, it can help ensure they are effective and actionable.
| Function | Supports | What it does |
| Track endpoint compliance | Conditional Access | Checks device health, patch status, antivirus, and encryption |
| Audit registry or agent presence | Device trust validation | Confirms NinjaOne agent is installed and system settings are secure |
| Flag non-compliant machines | Policy enforcement | Tags risky devices and triggers auto-remediation or alerts |
| Report policy progress | Client security tracking | Shows which tenants upgraded from MFA to Conditional Access |
Helping clients build resilient identity protection
To choose the right identity security strategy, it’s important to always consider business needs and user experience. Additionally, MSPs must always take a phased approach and communicate well with clients to avoid misunderstandings.
With the help of NinjaOne, building this framework can be a lot easier and less stressful for all parties involved.
Related topics:
