eastbaycyber

Conditional Access in Microsoft 365: Definition, How It Works, and When You’ll See It

Glossary 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Conditional Access in Microsoft 365 is a Microsoft Entra ID feature that applies if/then rules to sign-ins: if conditions match (who/what/where/risk), then enforce controls like MFA, device compliance, or block access. It’s a core control for Zero Trust because it turns identity signals into real-time access decisions.

Microsoft 365 Conditional Access (in Microsoft Entra ID, formerly Azure AD) is one of the most practical ways organizations control sign-ins beyond “just a password.” It evaluates context—like user, device, location, and sign-in risk—and then enforces actions such as requiring MFA, requiring a compliant device, limiting sessions, or blocking access.

How it works

At a practical level, Conditional Access sits in the authentication/authorization flow between a user and a cloud app (like Exchange Online, SharePoint, Teams, or a third-party SaaS using Entra ID). When a sign-in occurs, Entra ID evaluates the request against your configured policies and decides what the user must do—or whether they’re denied.

1) Policy inputs (signals)

Conditional Access evaluates a combination of signals. Common ones include:

  • User or group: Target everyone, admins, VIPs, contractors, or specific groups.
  • Cloud apps / actions: Microsoft 365 apps, Azure management, or user actions like registering security info.
  • Device platform: Windows, macOS, iOS, Android, Linux (varies by scenario).
  • Device state:
  • Compliant device (typically via Intune compliance policies)
  • Hybrid Azure AD joined / Entra joined state
  • App protection status (MAM) for unmanaged devices
  • Network/location:
  • Named locations (trusted IP ranges, countries/regions)
  • “Sign-in from unknown location” patterns
  • Client app:
  • Browser vs. modern authentication clients
  • Legacy authentication (basic auth) clients
  • Risk signals (when using Microsoft Entra ID Protection / risk-based controls):
  • User risk (likelihood the account is compromised)
  • Sign-in risk (likelihood the sign-in is malicious)

These signals are evaluated per sign-in. The same user can be allowed silently from a managed laptop in a trusted location, but required to do MFA (or blocked) when traveling or using an unmanaged device.

2) Policy outputs (controls)

When conditions match, Conditional Access can enforce one or more controls:

  • Grant controls:
  • Require multi-factor authentication (MFA)
  • Require password change (in some risk scenarios)
  • Require compliant device
  • Require approved client app (e.g., only Outlook mobile)
  • Require app protection policy (MAM) for mobile
  • Block access
  • Session controls:
  • Sign-in frequency (force reauthentication)
  • Persistent browser session settings
  • Continuous Access Evaluation (CAE)-related behaviors (where supported)
  • Conditional Access App Control (integration with Defender for Cloud Apps) for controls like blocking downloads in browser sessions

Controls stack based on your configuration—e.g., “Require MFA” and “Require compliant device” for Exchange Online.

3) Policy evaluation order (what actually happens)

Multiple policies can apply to a single sign-in. Important behaviors:

  • If any matched policy results in Block, the sign-in is blocked.
  • Otherwise, grant requirements combine—the user must satisfy all required controls (e.g., MFA + compliant device).
  • Exclusions matter. A single bad exclusion (like excluding “All Users” from an MFA policy) can create a security gap; a missing exclusion (like forgetting emergency access accounts) can cause lockouts.

4) The real-world flow (step-by-step)

  1. User signs in to a Microsoft 365 app (browser or client).
  2. Entra ID authenticates primary credentials.
  3. Conditional Access evaluates: - Who is it? - What app is being accessed? - From where and on what device? - Is there elevated risk?
  4. Entra ID enforces the policy outcome: - Allow silently, or - Prompt for MFA, or - Require device compliance/app protection, or - Block.
  5. User gains (or is denied) access, and the result is logged in Sign-in logs and Conditional Access insights.

Technical Notes: Where to configure it

Conditional Access policies are managed in the Microsoft Entra admin center:

  • Microsoft Entra admin centerProtectionConditional Access

Technical Notes: Troubleshooting with Sign-in logs

The fastest way to diagnose a “why am I being prompted/blocked?” issue is to inspect the Entra ID sign-in logs and the Conditional Access tab.

You can also query sign-in activity with Microsoft Graph (example uses Graph PowerShell patterns; adapt to your environment):

# Requires Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Pull recent sign-ins for a user (example filter; adjust UPN and time window)
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@contoso.com'" -Top 20 |
  Select-Object CreatedDateTime, AppDisplayName, IpAddress, ClientAppUsed, ConditionalAccessStatus

What to look for in the event details:

  • Conditional Access Status: success / failure / notApplied
  • Applied Conditional Access Policies: policy name + result (success/failure/notApplied)
  • Failure reason: e.g., “MFA required”, “Device not compliant”, “Blocked by policy”
  • Client app: “Browser”, “Mobile Apps and Desktop clients”, “Legacy authentication clients”

Technical Notes: Common log pattern—legacy authentication blocked

When blocking legacy authentication, you often see client types associated with basic auth attempts. In sign-ins, look for Client app indicating legacy protocols and a CA policy that blocks them.

Example policy intent:

IF: Client apps = "Other clients" (legacy)
AND: Users = All users (exclude break-glass)
THEN: Block access

When you’ll encounter it

You’ll run into Conditional Access any time an organization is controlling Microsoft 365 access beyond “just a password.” Common scenarios:

1) MFA prompts that vary by context

Users often ask: “Why do I get MFA sometimes but not always?” Conditional Access commonly enforces MFA based on: - Accessing from a new location or untrusted network - Using a new device - Higher sign-in risk - Accessing sensitive apps (like SharePoint/OneDrive where data exfiltration risk is higher)

2) “You can’t get there from here” blocks

Typical blocks include: - Access from embargoed or high-risk countries/regions (named locations) - Sign-ins flagged as high risk by identity protection - Attempts to use legacy authentication - Access from unmanaged devices where policy requires compliance

3) Device compliance requirements (Intune-driven)

A frequent helpdesk ticket looks like: - “My email works on my phone but not on my laptop.”

If the policy requires a compliant or joined device, unmanaged endpoints will be denied or forced into a limited experience.

4) Browser restrictions and download controls

Organizations that allow browser access but want to reduce data leakage may: - Require “approved app” for full access (Outlook/Teams) - Use session controls to block downloads or enforce web-only access on unmanaged devices (often via Defender for Cloud Apps integration)

5) Admin and high-privilege protection

Admins are typically targeted with stricter Conditional Access such as: - MFA every sign-in (or shorter sign-in frequency) - Require compliant device - Require trusted locations for admin portals

This is a practical way to reduce the blast radius of credential theft. If you’re building these policies, also plan for operational hygiene (documentation, drills, and stakeholder readiness), similar to how teams prepare with a tabletop exercise.

6) During incident response

Conditional Access becomes a rapid containment tool: - Block all sign-ins except from trusted locations - Require password reset/MFA re-registration (careful with impact) - Enforce compliant devices only

Used correctly, it can slow attacker movement while you remediate. In parallel, ensure you’re tracking root cause and mapping prevention work to known weakness classes (see what CWE is and why it matters).

Technical Notes: Safer rollout pattern (avoid lockouts)

A common operational approach:

  1. Start with Report-only mode to see impact.
  2. Exclude emergency access (“break-glass”) accounts from CA policies.
  3. Roll out to a pilot group, then expand.
  4. Monitor sign-in logs and user feedback.
  5. Move policies from report-only to On once validated.

Example checklist snippet:

- [ ] At least 2 emergency access accounts, excluded from CA, monitored
- [ ] Report-only validation for 7–14 days
- [ ] Legacy authentication blocked (after confirming no dependencies)
- [ ] MFA enforced for all users + stronger controls for admins
- [ ] Device compliance required for high-risk apps/data

Practical tooling you may use alongside Conditional Access

Conditional Access is about identity-based control, but end users still need secure authentication and safe remote access patterns—especially when traveling or on untrusted networks.

  • Password manager / passkey support: A strong enterprise approach is Entra ID MFA plus a password manager that supports passkeys and strong vault hygiene. Consider 1Password for users and admins where it fits your program: Try 1Password →.
  • VPN for untrusted networks: A VPN doesn’t replace Conditional Access, but it can reduce exposure on hostile Wi‑Fi and simplify “trusted network” expectations for specific workflows. Options include NordVPN: Check NordVPN pricing → or Surfshark: Try Proton VPN →.
  • Malware protection: Device compromise undermines “trusted session” assumptions. If you need an additional endpoint layer for certain user groups, Malwarebytes can be an option: Get Malwarebytes →.

Related terms

Microsoft Entra ID

Identity provider for Microsoft 365; Conditional Access is configured here.

Azure AD

Former name for Entra ID; you’ll still see it in older documentation and tooling.

MFA (Multi-Factor Authentication)

A common Conditional Access grant control; can be enforced per app, user group, or context.

Zero Trust

Security model centered on continuous verification; Conditional Access is a primary enforcement mechanism for identity-based access.

Identity Protection / Risk-based access

Uses risk detections (sign-in risk, user risk) to drive Conditional Access decisions.

Intune compliance

Device compliance posture (encryption, PIN, OS version, etc.) used as a Conditional Access condition.

CAE (Continuous Access Evaluation)

Reduces reliance on token lifetime alone by enabling near real-time enforcement for certain events and apps.

Named locations

Admin-defined trusted or restricted IP ranges/countries used in Conditional Access conditions.

Legacy authentication (Basic Auth)

Older protocols that bypass modern controls; commonly blocked with Conditional Access.

Break-glass (emergency access) accounts

Highly secured accounts excluded from Conditional Access to prevent tenant lockout (must be monitored and protected separately).

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.