What is Conditional Access and how does it work?

Conditional access is a crucial component of Microsoft’s ‘Zero Trust’ security model. It is a set of policies and configurations that control which devices and users can access assorted services and data sources. In the Microsoft environment, conditional access works with the Microsoft 365 (formerly Office 365) suite of products, as well as with SaaS apps that are configured in Microsoft Entra ID.

Why do we need conditional access?

As computing shifts to a more cloud-centric model, managing access to an organization’s essential documents and data becomes increasingly challenging. The objective is to enable users to maintain productivity regardless of when and where they gain access to files while concurrently safeguarding the organization’s assets by implementing appropriate security controls. In the traditional on-premises approach, IT teams kept content behind the corporate firewall with regulations based on which users had access to the network, with all computers on the network being company-owned and company-controlled. In the cloud model, devices may be owned by the company, the user, or a third party (for example, vendors and partners).

How conditional access works

Conditional access relies on signals from various sources about users to inform the system about the state and trustworthiness of the device or the user of the device before gaining access to the data.

Many factors about the user/ device will be considered including:

User or group membership: Policies can target specific users or groups.
IP Location information: Trusted IP address ranges can be used for policy decisions.
Device; Specific platforms or device states can influence access.
Application: Different applications can trigger distinct Conditional Access policies.
Risk detection: Integration with Microsoft Entra ID Protection identifies and mitigates risky user behaviour.
Microsoft Defender for Cloud Apps: Monitors and controls user application access in real-time.

The user or device will either have access blocked (the most restrictive decision) or have access granted (a less restrictive decision) that can require the addition of multifactor authentication).

Mobile devices (iOS, Android, Windows) must be enrolled in Intune, which provides security policy settings and verifies that the device is not rooted or jailbroken. Windows PCs can be either Microsoft Entra joined, or hybrid joined devices and need to be linked to the enterprise AD Domain, where policies and governance are enforced.

If a user’s device is not compliant with these policies, conditional access will guide the user on how to get the device into compliance so access to requested data may be enabled. This guidance is meant to enable the user to self-serve their enrollment so no help-desk call or IT intervention is required.

Conditional Access policies are enforced after first-factor authentication

It’s not the first line of defence for scenarios like denial-of-service attacks, but it uses signals from such events to determine access. Administrators can manage policies in the Microsoft Entra admin centre under Protection > Conditional Access.

Remember, conditional access ensures that the right people have access to the right resources under the right conditions.