Conditional access is a set of policies and configurations that control which devices have access to various services and data sources. In the Microsoft environment, conditional access works with the Office 365 suite of products, as well as with SaaS apps which are configured in Azure Active Directory.
Why do we need conditional access?
With the change in computing to a more cloud-centric model, it has become difficult to control access to the documents and data that an enterprise depends on to run the business. Formerly, all IT teams needed to do was keep content behind the corporate firewall and access was governed by who had access to the network, and computers on the network were always company-owned and company-controlled. In the current model, devices may be owned by the company, the user, or a third party (think vendors and partners).
How conditional access works
Conditional access relies on signals from either the corporate AD Domain, or Microsoft Intune to inform the system about the state and trustworthiness of the device prior to the device gaining access to the data. Mobile devices (iOS, Android, Windows) must be enrolled in Intune, which provides security policy settings and verifies that the device is not rooted or jailbroken. Windows PCs are required to be joined to the enterprise AD Domain, where policies and governance are enforced.
If a user’s device is not compliant with these policies, conditional access will guide the user on how to get the device into compliance so access to requested data may be enabled. This guidance is meant to enable the user to self-serve their enrollment so no help-desk call or IT intervention is required.