Conditional Access
Control application and data access based on user identity, device, location, and risk level.
On this page
See Tech Prescient in Action
Automate access, reduce risk, and stay audit-ready
Last Updated date: June 2026
Conditional access is a security model that evaluates real-time signals, such as user identity, device health, location, and risk level, before granting, blocking, or restricting access to applications and data. Access is not permanently trusted; it is re-evaluated at every sign-in attempt.
The core logic is "if-then": if these conditions are true, then allow, block, or require additional verification.
Quick Summary
| Field | Detail |
|---|---|
| Category | Identity & Access Management (IAM), Zero Trust |
| Related to | Identity Governance (IGA), MFA, Zero Trust, RBAC, Least Privilege |
| Primary use | Enforcing context-aware access decisions at the point of authentication |
| Key benefit | Stops attackers who have valid credentials but fail contextual checks |
Why Passwords Alone Are No Longer Enough
Passwords are already compromised, at scale, continuously, across every industry.
The problem is not authentication. It is that traditional access models treat a correct password as sufficient proof of legitimacy. Conditional access fixes this by asking a second question after authentication: Should this user be allowed access right now, under these specific circumstances?
An attacker with stolen credentials, logging in from an unknown country at 3 AM on an unmanaged device, fails multiple conditional checks, even if the password is correct. That is the gap that conditional access closes, and why it is now foundational to Zero Trust security architecture.
How Conditional Access Works
Every access request triggers a policy evaluation before a decision is returned. The sequence:
- Sign-in attempt: A user (or service) requests access to an application or resource.
- Signal collection: The policy engine collects context: who is signing in, from where, on what device, with what risk profile.
- Policy matching: The system evaluates which conditional access policies apply to this user, app, and context combination.
- Decision: Access is granted, blocked, or granted with conditions (such as completing MFA or switching to a compliant device).
- Continuous evaluation: In modern implementations, the session is monitored, not just the sign-in. A policy change or risk spike mid-session can revoke access without requiring re-login.
The Signals Conditional Access Evaluates
User and group identity: Is this an administrator, a standard employee, a contractor, or a guest? High-privilege roles typically face stricter conditions than standard users.
Device compliance: Is the device managed, enrolled in MDM, and meeting security baselines? An unmanaged personal device is treated differently from a compliant corporate laptop.
Location and IP: Is the user on a trusted network, signing in from a recognized location, or appearing from a country where the organization has no presence? Anomalous geography is a primary risk signal.
Sign-in risk: Signals from identity protection services flag behaviors like impossible travel (login from two countries within minutes), leaked credentials, or known malicious IPs.
Application sensitivity: Access to payroll or source code warrants stricter conditions than access to a public intranet.
Common Conditional Access Policy Patterns
These are the building-block policies most identity governance programs deploy first:
- Require MFA for all users: Baseline enforcement that adds a second factor regardless of location or device.
- Require MFA for administrators: Stricter enforcement for privileged accounts, often requiring phishing-resistant MFA methods.
- Block legacy authentication: Protocols like IMAP and SMTP cannot process MFA prompts and are a common attacker entry point. Block them unconditionally.
- Require compliant device: Only devices enrolled and meeting security policy baselines can access sensitive applications.
- Block by location: Deny access from countries or IP ranges where the organization has no legitimate users.
- Enforce session controls for unmanaged devices: Allow read-only access or block downloads on devices that are not corporate-managed.
The most effective conditional access programs layer these policies by user persona, administrators face the strictest conditions, contractors face intermediate controls, and standard staff face baseline requirements.
Conditional Access in Microsoft Entra ID
The most widely deployed implementation is Microsoft Entra ID (formerly Azure Active Directory) Conditional Access, available with an Entra ID P1 license, included in Microsoft 365 E3/E5 and Business Premium.
Key capabilities in the Entra implementation:
- What If tool: Simulates how a specific user, app, and condition combination would be evaluated before a policy goes live.
- Report-only mode: Policies run in evaluation-only mode, logging what would have happened without enforcing it. Essential for testing before production rollout.
- Named locations: Trusted IP ranges and countries are defined centrally and referenced across policies.
- Entra ID Protection integration: Real-time sign-in and user risk scores feed directly into policy decisions.
Improper conditional access configuration can lock out users, including administrators. Always exclude at least one break-glass account from all policies and test with report-only mode before enforcement.
Conditional Access vs. MFA: What's the Difference?
A common point of confusion:
| MFA | Conditional Access | |
|---|---|---|
| What it does | Requires a second authentication factor | Decides *when and whether* MFA (or other controls) applies |
| Scope | Applied uniformly or not at all | Applied contextually based on signals |
| Flexibility | Binary, on or off | Granular, triggered by risk, location, device, role |
| Relationship | MFA is one possible outcome of a conditional access decision | Conditional access is the policy engine that triggers MFA |
MFA is a control. Conditional access is the logic that decides when to apply it. Requiring MFA for every login regardless of context is better than nothing, but it is not conditional access. True conditional access adapts the requirement to the circumstances.
Conditional Access and Identity Governance
Conditional access operates at the authentication layer. Identity governance (IGA) operates at the provisioning and entitlement layer. Together, they form a complete access control model:
- IGA determines who should have access through role assignments, access reviews, and provisioning workflows.
- Conditional access determines whether that access is granted right now, based on real-time signals and policy rules.
A user might be entitled to access a financial application (IGA layer) but have that access blocked if they are signing in from an unmanaged device in an unrecognized location (conditional access layer). Neither layer alone is sufficient.
Implementation: Where to Start
- Audit your current authentication landscape: Identify which apps use modern authentication and which still rely on legacy protocols.
- Block legacy authentication first: This single policy eliminates a disproportionate share of credential-based attacks with minimal user friction.
- Require MFA for all administrators: Privileged accounts are the highest-value target. Start here before rolling out broader MFA.
- Use report-only mode: Test every new policy in report-only before enforcement. Review logs for unexpected matches in user populations.
- Define named locations: Document and configure trusted IP ranges so location-based policies are accurate.
- Layer by persona: Build a policy hierarchy: administrators → sensitive app users → standard staff → guests/contractors.
- Exclude break-glass accounts: Maintain at least one emergency access account that is excluded from all conditional access policies.
Common Mistakes in Conditional Access Deployments
Over-relying on MFA alone: Requiring MFA without any location, device, or risk signals is a weaker posture than true conditional access.
Skipping report-only testing: Policies that match unexpected user groups cause lockouts that disrupt operations and erode trust in the security team.
No break-glass account: If all admin accounts are subject to a misconfigured policy, recovery requires Microsoft Support involvement and significant downtime.
Treating conditional access as a one-time configuration: User populations, applications, and risk signals change. Conditional access policies require regular review, typically during access certification cycles managed through an identity governance platform.
Frequently Asked Questions
It is a security system that checks more than just your password before granting access. It evaluates where you are, what device you are on, and whether your behavior looks normal, then decides whether to let you in, ask for more verification, or block you entirely.
MFA is a specific security control that requires a second factor. Conditional access is the policy engine that decides when MFA, or any other control, is required. Conditional access can require MFA in some scenarios and allow access without it in others, based on risk signals.
Yes. Conditional access is one of the primary mechanisms for implementing Zero Trust; the security model is based on "never trust, always verify." It replaces the assumption that users on a trusted network are safe with continuous, context-based verification.
Conditional access requires an Entra ID P1 license, which is included in Microsoft 365 E3/E5 and Business Premium plans. Advanced risk-based policies require Entra ID P2 for identity protection integration.
For application access, yes, conditional access combined with modern app proxies can grant secure, context-aware access to applications without requiring a VPN connection. It does not replace VPNs for network-level access to infrastructure.
Identity governance (IGA) controls who is entitled to access. Conditional access controls whether that access is granted at the moment of sign-in, based on real-time risk signals. Both layers are required for a complete identity security program.