Securing a creative team with Conditional Access without killing productivity
How to harden access to sensitive tools (Adobe, finance, HR) while keeping the fluidity a creative team needs. Entra ID policy in practice.
A creative team has a particular relationship with IT security. Mis-calibrated controls (re-auth every hour, MFA to open Slack, blocking personal files on the work machine) generate friction that ends up producing shadow IT — the user works around it, which is exactly the situation security wanted to prevent. Conversely, doing nothing exposes brand files, client contracts, and confidential material to poorly-controlled risk. The right posture lies elsewhere: harden where it matters, smooth where you can. Here is how we structure Conditional Access (Entra ID) for these teams.
The Conditional Access principle
Conditional Access (CA) is the Entra ID rule engine that decides, for every connection attempt to an application, what to require beyond the password. Three input variables: who (user, group, role), from what (device state, location, detected risk), to do what (the requested app, associated risk level). Output: allow, require MFA, require device compliance, block.
Done well, it’s invisible most of the time and tight where it matters.
The rule that should always be on
Three minimum baseline policies, before nuance:
- Mandatory MFA for all administrators, no exceptions, with at least one phishing-resistant method (FIDO2 passkey or Authenticator with biometric lock).
- Block legacy protocols (POP3, IMAP, SMTP basic auth) — main vectors for credential-stuffing attacks.
- Mandatory MFA for everyone on risky sign-ins (user-risk or sign-in-risk signal raised by Microsoft Identity Protection).
These three rules cover 90% of identity risks. They should have existed at every organization for a long time.
Calibrating for a creative team
Beyond baseline, you adapt. The mistake is applying the same policy to everyone: a designer who lives in Figma, Adobe and Slack doesn’t have the same risk profile as an accountant handling wire transfers, or a leader opening M&A files.
On the Paris creative studio in the intro (~30 people), we applied:
- For all users: MFA via Authenticator with biometric lock, 90-day session on MDM-managed devices, blocked sign-ins from unexpected countries (whitelist for declared travel).
- For administrators (3 people): mandatory FIDO2 passkey, 12-hour session, admin functions only from MDM-compliant devices with active EDR (not from a personal phone).
- For sensitive apps (finance, HR, contract signers): re-authenticated MFA per session, access limited to compliant devices, refused from the guest Wi-Fi.
- For everyday apps (Slack, Teams, Adobe, Figma): friction-free SSO from compliant devices, MFA only if a risk signal is detected.
Device compliance, the central lever
For Conditional Access to be useful, the “device compliant” condition has to mean something. This requires an MDM that reports compliance to Entra ID: Intune does it natively, Kandji and Jamf do it via official Microsoft “device compliance” connectors (Kandji since 2023, Jamf for longer).
Typical compliance criteria: OS up to date (macOS within a 14-day window, iOS within 7 days), encryption active, password or TouchID/FaceID active, EDR active and current, no jailbreak/root detected.
Once that flow is in place, you can write CA rules like “CRM access only from compliant devices” with confidence — an unmanaged personal Mac won’t pass, a managed and compliant Mac will pass without friction.
Passkeys, the real 2024-2025 novelty
Passkeys (based on WebAuthn / FIDO2) are the most impactful security deployment of the last two years. User side: a factor unlocked by TouchID/FaceID, nothing to type, ultra-fast. Security side: phishing-resistant by construction (the passkey can’t be entered on a malicious site impersonating your IdP).
Microsoft, Google, Apple, GitHub, 1Password, Slack all support passkeys since 2023. Our 2026 standard on new deployments: passkey by default on admin accounts, passkey offered to all users with progressive migration. Password + SMS code remains a fallback.
The investment to plan for
Conditional Access is included in Entra ID P1, and Entra ID P2 adds Identity Protection with automated risk detection and advanced investigations. On a 30-person SMB, the licensing cost stays modest, plus the initial setup effort (typically 1-3 weeks depending on complexity).
Compared to a single successful identity incident (ransomware trigger, wire fraud, client leak), the investment is marginal.
What we avoid
A few common anti-patterns:
- MFA everywhere, all the time — generates auth fatigue and workaround behavior.
- Static IP whitelists — security illusion, ignores remote work and travel.
- Blocking mobile apps with no alternative — pushes users to email documents to themselves to open on personal devices.
- Conditional Access without monitoring — if no one watches CA logs, you discover problems after the incident.
If you want an identity policy that protects without choking, the form at the bottom of the home is built to start the conversation.
Field-report context: Paris creative studio, ~30 people (anonymized)
Read next
More on modern SMB IT management.
Modernizing a corporate Mac fleet with Kandji and Apple Business Manager
Field report: moving from manual Mac management to a fully MDM-driven fleet. Zero-touch onboarding, hardened security, measurable time savings.
Read the post Why replace your corporate VPN with Zero Trust Network Access (ZTNA)
The classic corporate VPN is a 25-year-old design that no longer fits. ZTNA (Cloudflare Access, Tailscale, Zscaler) offers a finer, safer, better-UX model.
Read the post
Opening a retail store: the IT checklist in two weeks
Network, segmented Wi-Fi, Shopify POS, payment, video surveillance, backups: what to plan so a new store is operational on day one.
Read the post