Service

Entra ID & Conditional Access

Intragreat is an Entra ID consultant for startups, mid-sized companies, and small IT teams. We design and deploy Conditional Access and phishing-resistant MFA, block legacy authentication, and set up clean identity lifecycle (joiner/mover/leaver, SSO, app provisioning) — the identity controls enterprise customers and investors actually check. Rolled out safely in report-only first, so no one gets locked out.

Who It Is For

Practical support for growing businesses.

For teams that need real access control beyond basic MFA — and need it to survive an enterprise security review.

Problems Solved

MFA is on, but there is no context-aware access control
Legacy authentication is bypassing MFA
Admin accounts are protected only by SMS codes
Onboarding and offboarding are manual and error-prone
No SSO for the apps customers ask about

What Is Included

Clear scope and plain-language documentation.

Conditional Access design and rollout

Phishing-resistant MFA (passkeys and hardware keys)

Block legacy authentication

Safe report-only rollout and pilot groups

Identity lifecycle (joiner/mover/leaver, SSO, SCIM)

Policy documentation

When You Need This

Signs it’s time to bring this in.

A customer asked for SSO or SAML and you need Entra to deliver it
The questionnaire asks about MFA type, Conditional Access, and admin protection
You are onboarding and offboarding by hand and access is piling up
An admin account is protected only by SMS MFA

FAQ

Common questions.

What is Conditional Access, and do we need it?

Conditional Access is Microsoft Entra’s policy engine that decides how and when users can reach your data — by user, device, location, risk, and app. If you handle customer data or face security reviews, you need it: it’s the most commonly cited identity gap on questionnaires, and it’s where real access control lives beyond basic MFA.

What is phishing-resistant MFA and why does it matter?

Phishing-resistant MFA uses passkeys or hardware security keys that can’t be intercepted the way codes and push prompts can. It matters most for admin and high-risk accounts, which are the accounts attackers target — SMS or app-code MFA on a global admin is a known weak link.

Will rolling out Conditional Access lock our users out?

Not if it’s done properly. We roll policies out in report-only mode and with pilot groups first, so we can see the impact before anything is enforced. Careful sequencing is exactly why bringing in someone who’s done it before is worth it.

Can you set up single sign-on (SSO) for our SaaS apps?

Yes. We connect your apps to Entra ID for SSO and, where the app supports it, automated user provisioning (SCIM). That’s often what a prospect means when they ask whether you “support SSO,” and it also cuts down manual onboarding and offboarding.

What Microsoft license do we need for this?

Conditional Access requires Microsoft 365 Business Premium, Microsoft 365 E3/E5, or standalone Entra ID P1/P2. Business Basic and Standard don’t include it. Business Premium is the right tier for most small teams because it also bundles Intune and Defender — we’ll confirm what you have before recommending changes.

Get Started

Start with a practical security review.

We will look at your Microsoft 365, devices, email security, and user access, then give you a clear list of what to fix.