This guide explains the ten essential Microsoft 365 security controls we recommend for charities to reduce cyber risk, improve governance and strengthen long-term resilience.
What it is
Conditional Access is Microsoft’s policy engine for controlling access to Microsoft 365. Every sign-in is evaluated against a set of predefined rules before access is granted.
Policies can consider:
- User identity
- Device compliance
- Geographic location
- Sign-in risk
- Application being accessed
This allows charities to apply security controls that balance protection with usability.
Why it matters
Passwords and Multi-Factor Authentication provide strong protection, but they don’t answer every question.
Should a user be allowed to sign in from an unmanaged laptop?
Should an administrator be able to access Microsoft 365 from overseas?
Should legacy authentication still be permitted?
Conditional Access answers these questions automatically by enforcing security policies every time someone signs in.
For charities handling donor, financial and beneficiary information, this additional layer of protection significantly reduces cyber risk.
Common mistakes
- Applying the same policy to every user.
- Forgetting emergency (break-glass) administrator accounts.
- Allowing legacy authentication to remain enabled.
- Not requiring compliant devices.
- Creating policies but never reviewing them
Bunker's Recommended Approach
We recommend implementing Conditional Access in phases.
Start by protecting administrator accounts before expanding policies to staff and volunteers. Use Microsoft’s recommended security baselines as a foundation, then tailor policies to your charity’s operational needs.
Conditional Access should work alongside Multi-Factor Authentication, Microsoft Defender and Identity Protection—not replace them.
Regular reviews ensure policies remain aligned with organisational changes, new security threats and Microsoft best practice.
How We Helped a leading UK Charity
During a Microsoft 365 security review for a UK charity with more than 100 staff and volunteers, we identified that users could access organisational data from unmanaged personal devices without additional security controls.
Working with the charity, we:
- Implemented Conditional Access policies for all users.
- Required Multi-Factor Authentication for cloud applications.
- Blocked legacy authentication.
- Restricted administrator access to compliant devices.
- Introduced location-based access controls for higher-risk sign-ins.
Rather than creating unnecessary barriers for users, the policies were designed around how the charity worked, improving security while maintaining a smooth user experience.
Many charities already have the Microsoft licences needed for Conditional Access through Microsoft 365 Business Premium but we regularly find the feature hasn't been configured. One of the quickest wins during a Microsoft 365 Security Review is identifying where simple policy changes can significantly reduce cyber risk without affecting the user experience.
Ready to review your Microsoft 365 security?
Conditional Access for UK Charities
FAQ

What is Conditional Access?
Conditional Access is a Microsoft 365 security feature that evaluates every sign-in before access is granted. It uses conditions such as user identity, device compliance, location and sign-in risk to determine whether a user should be allowed access, challenged with Multi-Factor Authentication or blocked altogether.
Does Conditional Access replace Multi-Factor Authentication?
No. Multi-Factor Authentication verifies a user’s identity, while Conditional Access decides when MFA should be required and whether access should be allowed at all. Together they provide a much stronger security posture than either control alone.
Which Microsoft licence do charities need?
Most Conditional Access features require Microsoft 365 Business Premium or Microsoft Entra ID P1. Many charities already own the necessary licences but haven’t yet implemented Conditional Access policies.
Can Conditional Access protect volunteers as well as employees?
Yes. Conditional Access policies can be applied to employees, volunteers, contractors and guest users. Policies can be tailored to different user groups, allowing charities to provide secure access while maintaining appropriate levels of control.
Can Conditional Access block suspicious sign-ins?
Yes. Conditional Access can block sign-ins from unfamiliar countries, unmanaged devices or users identified as high risk. It can also require additional verification before access is granted.
How can Bunker help?
Bunker helps UK charities design, implement and review Conditional Access policies as part of a wider Microsoft 365 Security Review. We focus on creating practical security controls that reduce organisational risk without disrupting day-to-day operations.
Bunker Technical Solutions Cyber Security Team | Last reviewed: July 2026

