Michael has been an IT Pro since 1998. He has worked predominantly in the Windows world including client and server operating systems, on-prem systems engineering (AD, DNS, etc.), and over the last ten years or so has embraced and immersed himself in...
Conditional Access is a security feature that allows organizations to control corporate resource access based on certain conditions. Common reasons for utilizing this technology include the enforcement of multifactor authentication (MFA), requiring stronger authentication measures during authentication, and more. Learn more about how to use Entra ID Conditional Access to protect your data and devices.
Entra ID Conditional Access is a core security feature of Microsoft Entra ID (formerly Azure AD). It focuses on access control for applications and identities in Microsoft’s 365 cloud services.
Think of it as a security policy engine that analyzes various signals and attributes of incoming authentication and authorization requests and enforces organizational policies to either grant access or deny access to resources based on those criteria. The scope of settings, conditions, and criteria when setting up these policies affords you the ability to craft one that meets your security and compliance needs.
The main reason we need these policies is due to the quickly evolving security landscape and the fact that traditional access control methods are becoming less robust. The strongest case for why companies need it is the enforcement of multifactor authentication (MFA). CA adds an extra layer of protection by going beyond passwords and mitigating risks like unauthorized access or compromised devices in your organization.
Other reasons include compliance requirements, cybersecurity insurance requirements, Zero Trust security models becoming more prevalent (more on that shortly), and, on a ‘positive’ note, an enhanced end-user experience. IT Pros and admins can configure users on approved network subnets to NOT have to use MFA. A ‘trusted location’, if you will.
Conditional Access aligns with the core principles of Microsoft’s Zero Trust security model. The model = trust is never assumed, and every access attempt is verified.
Here are some high-level bullet points of how CA supports this evolving model.
Entra ID Conditional Access policies in Microsoft Entra ID allow organizations to control access to specific applications and resources based on specific criteria surrounding the logins – device, time of day, location, etc. IT Pros and admins can create multiple policies to accommodate the nuances and unique circumstances surrounding their infrastructure, where their users log in from, and how they log in.
Based on established controls, policies dictate if a user is granted or blocked from accessing a specific application or service. At their core, they work like if-then statements. If a user wants to access an application like Word Online from an unknown or untrusted location, they will need to use multifactor authentication (MFA) to gain access. If perhaps they are logging in from one of your corporate offices, the MFA prompt will be deemed unnecessary.
There are several common signals (or criteria) used with Entra ID Conditional Access policies. These include:
Essentially, the only decisions you consider are granting access or blocking access. There are nuances of course, but the granularity allows you to create multiple policies for applications.
For instance, when granting access, you put additional requirements on the authorization attempt – Require MFA, require authentication strength (passwords), require an approved client app, or require terms of use, among others.
When you design and implement your Entra ID Conditional Access strategy, you should follow some common policies. Let me give you a list.
I want to mention a recent feature update Microsoft announced – a new re-authentication policy labeled as ‘Sign-in frequency – every time’. This allows organizations to force users to perform a new authentication each time they access specified applications and/or specific login types.
Let me give you a brief overview of how to find Entra ID Conditional Access in the Microsoft Entra ID portal and the basic setup.
Want to save some time and get a headstart? You can click the ‘+ New policy from template‘ button to create policies from pre-configured templates Microsoft has graciously created for companies. Various categories of policies include Zero Trust, Remote work, Protect administrator, and Emerging threats.
I will likely create another ‘how-to’ post going into greater detail here to highlight common policies, the various configuration changes you can make, and the various controls and criteria I’ve discussed in this post to put into testing and production.
The main licensing requirement for using Entra ID Conditional Access is Microsoft Entra ID P1 licenses (or P2). Customers on Microsoft 365 Business Premium also have access to CA. If you want to use risk-based policies, you will need Identity Protection, which needs P2 licenses.
Microsoft Entra ID P1 licenses are $6/month and P2 licenses cost $9/month. You can review this Microsoft website to learn more about pricing.
One interesting note – when licenses required for Conditional Access expire, your policies aren’t disabled. Policies continue to operate, but you are unable to update any of them.
Entra ID Conditional Access comes into its own when used with Microsoft Intune. While the ability to control where users can log in from and the apps they use is welcome, the real power is in ensuring that devices are compliant with Intune policies.
You might not want users logging in from China if you know that’s not a location where employees are based or travel to but it’s even better if you can determine exactly which devices are being used to access corporate resources and whether they are secure. In a Bring-Your-Own-Device (BYOD) scenario, using Intune and Microsoft Entra ID Conditional Access together is the best way to secure access to your organization’s data.
In today’s ever-changing security and threat landscape, Entra ID Conditional Access in Microsoft Entra ID stands as a very important tool for enterprises and companies of many sizes to help secure their ever-evolving work landscape. With more workers being geographically diverse and remote, it is essential to validate that your users are who they say they are. This security infrastructure, part of Microsoft’s Zero Trust security model, aims to do just that.
If you have any questions or comments, please feel free to leave a comment below. Thank you for reading.
Microsoft Entra ID conditional access typically adds minimal latency (less than 1 second) to authentication requests. The system is designed to evaluate policies in parallel, ensuring quick access decisions while maintaining security. However, complex policies with multiple conditions may slightly increase processing time.
Yes, Microsoft Entra ID conditional access can protect on-premises applications when using Azure AD Application Proxy or similar hybrid identity solutions. This enables organizations to extend conditional access controls to legacy applications while maintaining consistent security policies.
Emergency access scenarios in Microsoft Entra ID conditional access can be managed through break-glass accounts and policy exclusions. Organizations can create specific emergency access accounts that bypass conditional access policies during critical situations while maintaining detailed audit logs.
When multiple Microsoft Entra ID conditional access policies apply to the same user or resource, all policies are evaluated and must be satisfied for access to be granted. If policies conflict, the most restrictive policy takes precedence to ensure maximum security.
Yes, Microsoft Entra ID conditional access includes a “What If” tool and report-only mode for policy testing. These features allow administrators to simulate policy impacts and monitor potential effects before enforcing them in production environments.
Related Article: