Conditional Access Policies
Conditional Access is the policy engine at the heart of Entra ID security -- it evaluates every sign-in against a set of conditions and decides whether to allow, block, or require additional verification.
Conditional Access is Entra ID's way of making smart decisions about who gets access and under what conditions. Instead of a simple "password correct = access granted" model, Conditional Access evaluates multiple factors: Who is trying to sign in? What device are they using? Where are they coming from? How risky does this sign-in look? Based on these conditions, the policy can allow access, block access, or require extra steps like multi-factor authentication. For example, you might create a policy that says "if a user is signing in from outside the corporate network on an unmanaged device, require MFA and block access to sensitive applications." This gives organizations granular control over access without making every login equally burdensome.
Imagine an airport security checkpoint that adapts based on risk. A trusted traveler (managed device, familiar location) with a valid passport (strong credentials) walks through the fast lane. A traveler from a high-risk country (unfamiliar IP, unmanaged device) gets extra screening (MFA challenge). Someone with a flagged passport (leaked credentials) is denied boarding entirely. Conditional Access works the same way: every sign-in is evaluated against conditions (user, device, location, risk level) and the appropriate control is enforced automatically.
Key Takeaways
- Conditional Access evaluates every sign-in against conditions (user, device, location, risk) and applies controls.
- Blocking legacy authentication (SMTP, IMAP, POP3) is critical because these protocols bypass MFA.
- Continuous Access Evaluation (CAE) extends policy enforcement beyond initial token issuance.
- Token theft bypasses Conditional Access because the policy was satisfied at sign-in time.
- Use the "What If" tool to identify policy gaps before attackers find them.
Conditional Access is the single most important security control in Entra ID. A well-configured Conditional Access policy set blocks the majority of cloud identity attacks, while gaps in coverage are the first thing attackers look for.