What is Conditional Access?
Conditional access refers to Microsoft’s security approach that allows organizations to enforce specific access controls based on various conditions or criteria. These conditions typically include factors such as user identity, device health, location, and the sensitivity of the accessed resources. “Conditional Access is Microsoft’s Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions”.
How does Conditional Access work?
Conditional access depends on signals from various sources about users to inform the system about the state and trustworthiness of the device or the user of the device before allowing access to various kinds of data or platforms.
Access to data considers many factors about the user/ device including:
- User or group membership: Policies can target specific users or groups.
- IP Location information: Trusted IP address ranges and\or countries can be used for policy decisions.
- Device; Specific platforms or device states can influence access.
- Application: Different applications can trigger distinct Conditional Access policies.
- Risk detection: Integration with Microsoft Entra ID Protection identifies and mitigates risky user behavior.
- Microsoft Defender for Cloud Apps: Monitors and controls user application access in real-time.
The user or device will either have access blocked (the most restrictive decision) or have access granted (a less restrictive decision) that can require the addition of multifactor authentication).
Where is Conditional Access found?
Conditional Access is found in the Microsoft Entra admin center under Protection > Conditional Access
Summary
In conclusion, the world has become a lot smaller place thanks to the internet. Many workers are working from home and “home” could be many places, including another country in some cases. Controlling access from many different places prior to technologies like Conditional Access didn’t allow for many options. However now, administrators can implement what are essentially if-then statements that control what happens when a particular ID or device presents for authentication. Conditional access is a toolbox that helps administrators deal with new world realities.
