< All Topics

What is Conditional Access?

The modern security perimeter extends beyond an organisation’s network perimeter to include user and device identity. Organisations now use identity-driven signals as part of their access control decisions.

Microsoft Entra Conditional Access brings signals together to make decisions and enforce organisational policies.

Here is our explainer video:

Conditional Access is Microsoft’s Zero Trust policy engine that considers signals from various sources when enforcing policy decisions.

Conditional Access policies, at their simplest, are if-then statements; if a user wants to access a resource, then they must complete an action. For example, users must perform multifactor authentication to gain access if they want to access an application or service like Microsoft 365.

A diagram illustrating the various stages of a wireless communication system, including conditional access.

A diagram illustrating the various stages of conditional access.

Administrators are faced with two primary goals:

  • Empower users to be productive wherever and whenever
  • Protect the organisation’s assets

Use Conditional Access policies to apply the right access controls when needed to keep your organisation secure.

Common signals

Conditional Access takes signals from various sources into account when making access decisions.

A diagram of the microsoft security platform.

A diagram of the Microsoft security platform.

These signals include:

  • User or group membership
    • Policies can target specific users and groups, giving administrators fine-grained control over access.
  • IP Location information
    • Organizations can create trusted IP address ranges that can be used when making policy decisions.
    • Administrators can specify entire countries/regions’ IP ranges to block or allow traffic from.
  • Device
    • Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
    • Use filters for devices to target policies to specific devices like privileged access workstations.
  • Application
    • Users attempting to access specific applications can trigger different Conditional Access policies.
  • Real-time and calculated risk detection
    • Signals integration with Microsoft Entra ID Protection allows Conditional Access policies to identify and remediate risky users and sign-in behaviour.
  • Microsoft Defender for Cloud Apps
    • Enables user application access and sessions to be monitored and controlled in real-time. This integration increases visibility and control over access to and activities done within your cloud environment.

For all your security needs, contact us today.


Please find suggested further reading here: