This is to clarify a confusing Microsoft blog post which states that Conditional Access is included with Microsoft 365.
The source of confusion
The post Conditional Access is now part of Microsoft 365 Business! – Microsoft Tech Community is very misleading because the Microsoft 365 SKUs have changed names since the blog post was created in 2019. Of course, that change was supposed to make things clearer but has also served as the source of some confusion in this case at least.
Let’s look at how the business SKUs were renamed on April 21st, 2020:
|Old SKU||New SKU|
|Office 365 Business Essentials||Microsoft 365 Business Basic|
|Office 365 Business Premium||Microsoft 365 Business Standard|
|Microsoft 365 Business||Microsoft 365 Business Premium|
So, the Microsoft blog post was referring to the OLD SKU in the bottom left, which is now called Microsoft 365 Business Premium. Therefore in order to use Conditional Access with a Business license, you must have Business Premium, standard or basic are not enough. If you try and use Conditional Access with only basic or standard licenses in your tenant, you will see that you are not able to create a new policy:
How many premium licenses do I need?
If you have at least one user with Microsoft 365 Business Premium or any other SKU which has Azure AD Premium (P1 or P2), the option will be enabled. This then raises another question, how many users need to have a Business or Azure AD Premium license? Technically the answer is just one since that enables the feature in the tenant. However, I believe the Microsoft stance is that all users who are being affected by the policies should have an eligible license. I have never seen this documented anywhere, however. Also, it is very common that Admin users do not have licenses at all (since they are just used for management which is good practice), however you always want those accounts to have enforced MFA via conditional access, and it works just fine.
You need at least one Microsoft 365 Business Premium or Azure AD Premium to have conditional access enabled in your tenant, and you should then be able to use it for all users.