Skip to content
BlueStone Tech
Project 02 · Identity & Productivity

Conditional Access Baseline

Eight policies that block 90% of credential attacks. Designed and deployed in three weeks.

Email us about this project See all 7 projects

What's included

Fixed scope. Written deliverables.

Every line below is in the Statement of Work. We don't expand scope mid-project; we don't shrink it. If something needs to change, we agree it in writing.

  • Eight production-ready Conditional Access policies designed and deployed
  • Block legacy authentication · Require MFA for all users · Geo-fence to permitted countries
  • Require compliant device · Block high-risk / impossible-travel sign-ins
  • Restrict Global Admin access (separate policy stack)
  • Block BYOD access to sensitive apps · Apply session controls (sign-in frequency, browser-only sessions)
  • Test matrix and runbook
  • 30-day stabilisation period (we tune policies based on real user behaviour)

Frequently asked

About this project specifically.

Will Conditional Access lock anyone out by accident?
It can if deployed badly, which is why this is a 3-week project not a 3-hour click-through. We deploy in 'report-only' mode first, observe what the policies WOULD have blocked over a week, then enable progressively. The 30-day stabilisation period exists exactly to catch edge cases before they cause an outage.
Does this conflict with our existing MFA?
No — it absorbs and improves on it. If you've enabled 'Security Defaults' in Microsoft 365 (Microsoft's all-or-nothing baseline), we'll turn that off because Conditional Access supersedes it. The result is the same MFA enforcement plus the additional 7 controls — finer grained, but no extra friction for legitimate users.
Does this satisfy Essential 8 ML1 / ML2 requirements?
Yes for the MFA control (Multi-factor Authentication ML1+ML2) and partially for Restrict Administrative Privileges (ML2). For full ML2 coverage of admin privileges, pair this with the Privileged Access Cleanup project ($1,500). Together they cover both controls.

Other identity projects

Often paired with this one.

SaaS SSO via Entra ID

$1,800

Stop your team from juggling passwords. Single sign-on for the SaaS apps you actually use.

See project

Joiner-Mover-Leaver Automation Pack

$1,200

New hire on Monday, your IT does the rest. Same when someone leaves.

See project

Password Manager Rollout

$900 + licence

Stop using "Password123!" One vault, one master password, MFA everywhere.

See project
Same-business-day email reply · no sales calls

Want a quote for Conditional Access Baseline? It takes 2 minutes.

We'll email back with a tailored proposal — no calls, no follow-ups you didn't ask for.

Get a free quote Book a call