Can run on a workstation or server and is at the heart of all business applications.

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

What is Conditional Access?

• Article
• 08/15/2022
• 2 minutes to read

In this article

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions.

Conditional Access brings signals together, to make decisions, and enforce organizational policies. Azure AD Conditional Access is at the heart of the new identity-driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.

Administrators are faced with two primary goals:

• Empower users to be productive wherever and whenever
• Protect the organization's assets

Use Conditional Access policies to apply the right access controls when needed to keep your organization secure.

Important

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Common signals

Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

• User or group membership
  • Policies can be targeted to specific users and groups giving administrators fine-grained control over access.
• IP Location information
  • Organizations can create trusted IP address ranges that can be used when making policy decisions.
  • Administrators can specify entire countries/regions IP ranges to block or allow traffic from.
• Device
  • Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.
  • Use filters for devices to target policies to specific devices like privileged access workstations.
• Application
  • Users attempting to access specific applications can trigger different Conditional Access policies.
• Real-time and calculated risk detection
  • Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.
• Microsoft Defender for Cloud Apps
  • Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.

Common decisions

• Block access
  • Most restrictive decision
• Grant access
  • Least restrictive decision, can still require one or more of the following options:
    • Require multi-factor authentication
    • Require device to be marked as compliant
    • Require Hybrid Azure AD joined device
    • Require approved client app
    • Require app protection policy (preview)

Commonly applied policies

Many organizations have common access concerns that Conditional Access policies can help with such as:

• Requiring multi-factor authentication for users with administrative roles
• Requiring multi-factor authentication for Azure management tasks
• Blocking sign-ins for users attempting to use legacy authentication protocols
• Requiring trusted locations for Azure AD Multi-Factor Authentication registration
• Blocking or granting access from specific locations
• Blocking risky sign-in behaviors
• Requiring organization-managed devices for specific applications

License requirements

Using this feature requires Azure AD Premium P1 licenses. To find the right license for your requirements, see Compare generally available features of Azure AD.

Customers with Microsoft 365 Business Premium licenses also have access to Conditional Access features.

Risk-based policies require access to Identity Protection, which is an Azure AD P2 feature.

Other products and features that may interact with Conditional Access policies require appropriate licensing for those products and features.

Next steps

• Building a Conditional Access policy piece by piece
• Plan your Conditional Access deployment
• Learn about Identity Protection
• Learn about Microsoft Defender for Cloud Apps
• Learn about Microsoft Intune