Why Conditional Access Is One of the Smartest Security Moves You Can Make

Your receptionist logs in to check her schedule from a café on Saturday morning. Your bookkeeper connects from a personal laptop at home. A new staff member sets up their account from their phone on day one. Each of these logins looks different - different device, different location, different time. Your system has no way of knowing whether any of them is actually the person they claim to be. It just sees a username and a password, and it lets them in.

That is the core problem with relying on passwords alone. Stolen credentials are the leading cause of data breaches, and it is not hard to see why. Once someone has a username and password - whether they guessed it, bought it on the dark web, or received it from a colleague who meant well - they have the keys to whatever that account can reach. For practices using Microsoft 365, that means email, files, calendars, and client records.

Conditional access changes the logic. Instead of asking only "does this person know the password?", it asks a series of additional questions before granting entry. Is this a recognised device? Is the login coming from New Zealand? Is it happening at a reasonable time of day? Does the user's role actually require access to what they are trying to reach? If the answers do not add up, the system can block access, request additional verification, or restrict what the user can do. It is a set of rules that run automatically, every time, without relying on anyone to remember to enforce them.

The practical effect for a busy practice is significant. Staff who log in from their usual device during the working day experience no friction at all. The same person logging in at midnight from an overseas IP address gets stopped until they verify who they are. You are not making everyone's day harder - you are applying scrutiny where it is actually warranted. Conditional access also lets you apply the principle of least privilege: users only get access to the systems and data their role requires. A reception team member does not need the same access as the practice manager, and conditional access makes it straightforward to enforce that difference.

Setting this up well requires some thought about your business - which roles exist, which devices are authorised, which locations are plausible for your team. It also integrates with multi-factor authentication (MFA), which adds a one-time verification code or app approval on top of the password. The two work together to close the gap that passwords alone leave open. For practices that handle sensitive client or patient information, this combination is one of the most effective protections available. CERT NZ lists credential compromise as one of the top attack vectors for NZ businesses, and conditional access directly addresses it.

If your practice is running Microsoft 365 or a similar cloud platform and you have not yet looked at conditional access, it is worth putting on the agenda. An IT support partner who knows your setup can configure the right rules without disrupting how your team works day to day. The goal is stronger security that your staff barely notice.

ITstuffed works with professional services businesses across Canterbury to get this kind of protection in place properly. If you want a quick sense of where your current setup stands, book a 15-minute IT Fit Check and we can take a look.