Identity
Conditional Access
A policy framework in Microsoft Entra ID (and similar capabilities in other identity providers) that evaluates signals about a sign-in attempt and applies access controls accordingly.
Conditional Access policies evaluate multiple signals — user identity, group membership, device compliance, location, sign-in risk, application sensitivity — and apply controls such as requiring MFA, requiring a compliant device, blocking access entirely, or requiring password change.
Conditional Access is the primary policy enforcement mechanism in Microsoft Zero Trust architectures. Common policies include:
- Block legacy authentication protocols (eliminates basic auth attack surface)
- Require MFA for all users (universal MFA enforcement)
- Require compliant device for sensitive applications
- Require Entra ID Privileged Identity Management for administrative roles
- Block sign-ins from outside operational geographies
- Require password change on high-risk sign-ins
Equivalent capabilities exist in Okta (Adaptive MFA, Policy Engine), Google Workspace (Context-Aware Access), and Auth0 (Actions). Conditional Access is included in Entra ID P1 and above.