Identity

Conditional Access

A policy framework in Microsoft Entra ID (and similar capabilities in other identity providers) that evaluates signals about a sign-in attempt and applies access controls accordingly.

Conditional Access policies evaluate multiple signals — user identity, group membership, device compliance, location, sign-in risk, application sensitivity — and apply controls such as requiring MFA, requiring a compliant device, blocking access entirely, or requiring password change.

Conditional Access is the primary policy enforcement mechanism in Microsoft Zero Trust architectures. Common policies include:

  • Block legacy authentication protocols (eliminates basic auth attack surface)
  • Require MFA for all users (universal MFA enforcement)
  • Require compliant device for sensitive applications
  • Require Entra ID Privileged Identity Management for administrative roles
  • Block sign-ins from outside operational geographies
  • Require password change on high-risk sign-ins

Equivalent capabilities exist in Okta (Adaptive MFA, Policy Engine), Google Workspace (Context-Aware Access), and Auth0 (Actions). Conditional Access is included in Entra ID P1 and above.

← Back to Glossary