What Is Conditional access? Security Definition
On This Page
What do you want to do?
Quick Definition
Conditional access is a way for organizations to control who can access their apps and data based on conditions like where the user is, what device they are using, or how risky the sign-in looks. Instead of just checking a password, it considers extra signals to decide whether to allow access, ask for more verification, or block the attempt. This helps keep company resources safe even if a password is stolen.
Commonly Confused With
Multi-factor authentication (MFA) is a security method that requires users to provide two or more verification factors to prove their identity. Conditional access is a policy engine that can require MFA as a grant control, but conditional access evaluates many other conditions like location and device compliance, not just whether MFA is used. MFA is one possible action that conditional access can trigger, not the whole system.
A user logging in from home is prompted for MFA because the conditional access policy requires MFA when the location is untrusted. The MFA itself is the verification step, but the policy that decided to require it is conditional access.
Microsoft Entra ID Protection is a tool that detects risks like leaked credentials or impossible travel. Conditional access can use the risk signals from Identity Protection as conditions in its policies. Identity Protection detects the risk; Conditional access acts on it. They are separate services that integrate closely.
Identity Protection flags a sign-in as high risk. The conditional access policy has a condition that if sign-in risk is high, access is blocked. The block is enforced by conditional access based on the risk signal from Identity Protection.
Role-based access control (RBAC) determines what a user can do after they are granted access to a resource, based on their role. Conditional access determines whether the user gets access to the resource at all, based on context. RBAC is about permissions; conditional access is about entry control.
A user with the 'Sales' role can read and write to the sales database (RBAC). But if the user is logging in from a personal device, a conditional access policy blocks them entirely. The user never gets to use their RBAC permissions because conditional access denied entry.
Azure AD Join and Hybrid Azure AD Join are device identity states that indicate a device is registered with the organization. Conditional access can require a device to be Azure AD Joined or compliant as a grant control. Device join is a prerequisite, not a policy itself.
A conditional access policy requires the device to be Azure AD Joined. The user's laptop is joined to Azure AD, so the condition is satisfied and access is granted. The joining of the device is separate from the policy that uses it as a condition.
Conditional access appears directly in 312exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on MS-102. Practise them →
Must Know for Exams
Conditional access is a heavily tested topic across several certification exams, especially Microsoft focused ones. In the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam, you will be asked to describe the basic components of conditional access, the difference between grant controls and session controls, and how it fits into the Zero Trust model. Expect multiple-choice questions that present a scenario and ask which conditional access control would be most appropriate.
For the MS-900 (Microsoft 365 Fundamentals) exam, you need to know what conditional access is and the licensing requirements (Azure AD Premium P1 or P2). The exam may ask which license is needed to implement risk-based conditional access. The AZ-104 (Azure Administrator) exam includes conditional access as part of the manage identities and governance section.
You may be asked to configure a conditional access policy, troubleshoot why a policy is not working, or understand how to exclude emergency access accounts. The MD-102 (Endpoint Administrator) exam covers conditional access in the context of device compliance and Microsoft Intune integration. You will need to know how to require compliant devices in a conditional access policy.
The MS-102 (Microsoft 365 Administrator) exam is even deeper, with questions on planning and implementing conditional access policies, plus integration with Microsoft Defender for Cloud Apps session controls. For CompTIA Security+, conditional access appears in the identity and access management domain, but not as a specific configuration. Expect conceptual questions about policy-based access control and risk-based authentication.
The CISSP exam covers conditional access as part of the access control domain, particularly when discussing identity and access management, Single Sign-On, and adaptive authentication. For the CySA+ exam, conditional access may appear as part of security automation and zero trust. The AWS SAA exam does not use the term conditional access directly, but similar concepts appear in IAM policies with conditions based on tags, source IP, or MFA.
The term conditional access is most heavily associated with Microsoft exams, so if you are studying for SC-900, AZ-104, MS-102, or MD-102, you must be prepared for several questions on this topic. In the questions, you may be given a scenario where a user is blocked and asked to identify which policy caused it, or you may need to select the correct policy settings to achieve a specific security goal.
Simple Meaning
Think of conditional access like a nightclub bouncer who doesn't just check IDs at the door. The bouncer looks at several things before letting someone in: is the person on the guest list, do they look sober, are they wearing appropriate shoes, is it a VIP night, and is the club already too full? Even if someone has a valid ID, the bouncer might still say no if the person seems too intoxicated or if the club is at capacity.
Conditional access works the same way for your online accounts and company data. It doesn't just check that you typed the right password. It looks at a bunch of extra clues to decide if letting you in is safe at that moment.
These clues include where you are logging in from, what device you are using, whether that device has the latest security updates, what time it is, and even whether your behavior looks suspicious. For example, if you usually log in from New York during business hours and suddenly a login attempt comes from a country you have never visited at 3 AM, conditional access policies can step in. The system might still let you log in but then ask for a second form of authentication, like a code sent to your phone.
Or it might block the attempt entirely and send an alert to your IT team. This is much smarter than just using a password because passwords get stolen all the time. Conditional access adds layers of protection that adapt to each situation.
It is like having a smart lock on your door that checks not only the key but also the time of day, your face, and whether someone is trying to break in. For IT professionals, setting up conditional access policies is a core part of keeping company data secure in the cloud. It allows organizations to define rules like: allow access only if the device is managed by the company, require multi-factor authentication if the user is accessing sensitive data, or block access entirely if the sign-in risk is high.
These policies work across many apps and services, so a single rule can protect email, file storage, and business applications at the same time. In short, conditional access is about making smart, real-time decisions about who gets in and how much they can do, based on the full picture of the access attempt.
Full Technical Definition
Conditional access is a policy-based access control mechanism used in modern identity and access management (IAM) systems, most notably in Microsoft Entra ID (formerly Azure Active Directory). It acts as a decision engine that evaluates access requests against a set of conditions and then applies appropriate controls, such as granting access, requiring multi-factor authentication (MFA), enforcing device compliance, or blocking the request entirely. The core components of a conditional access policy are assignments, conditions, and access controls.
Assignments define which users, groups, or roles the policy applies to, as well as which cloud apps or actions are targeted. Conditions are the signals that trigger policy evaluation. Common conditions include user risk (calculated by Microsoft Entra ID Protection), sign-in risk, device platform (Windows, iOS, Android), location (based on IP address or named locations), client app type (browser, mobile app, legacy authentication), and time of day.
Access controls define what happens when the conditions are met. Grant controls specify what must be satisfied for access to be allowed, such as requiring MFA, requiring a device to be marked as compliant (via Microsoft Intune or another MDM), requiring a hybrid Azure AD joined device, requiring an approved client app, or requiring an app protection policy. Session controls limit the user's experience after access is granted, for example by controlling session lifetime, enforcing app-enforced restrictions (like blocking download of files in SharePoint), or using Conditional Access App Control (a feature of Microsoft Defender for Cloud Apps) to monitor and control user sessions in real time.
When a user attempts to sign in, the following flow typically occurs. The user authenticates with their credentials. The authentication request is intercepted by the identity provider (IdP).
The IdP evaluates any applicable conditional access policies by checking the user's attributes, device state, location, risk scores, and other signals. If the policy conditions are met, the IdP applies the specified access controls. If the access controls are satisfied, access is granted.
If they are not, the user is prompted to satisfy them (e.g., enroll in MFA) or access is blocked. Conditional access policies are evaluated before the user receives a token, meaning that blocked requests never get access to the resource.
Technically, conditional access relies on standards such as OAuth 2.0 and OpenID Connect for authorization and authentication flows. It integrates with Microsoft Entra ID Protection for risk detection, Microsoft Intune for device compliance, and Microsoft Defender for Cloud Apps for session control.
Policies are stored as JSON objects in the Microsoft Graph API and can be managed programmatically. Conditional access is also referenced in the NIST 800-53 framework for access control and is a key component of Zero Trust architecture. In a Zero Trust model, no user or device is trusted by default; every access request must be verified based on the current context.
Conditional access is the engine that enforces this verification in real time. Conditional access policies do not replace authentication; they add an additional layer of evaluation after authentication occurs. The policies are also not applied to service-to-service traffic; they only affect interactive user sign-ins.
In Microsoft 365, conditional access is available with Azure AD Premium P1 or P2 licenses. P1 allows basic conditional access policies like MFA based on location. P2 adds risk-based conditional access, integrating with Identity Protection for user and sign-in risk.
For other cloud providers, similar concepts exist, such as AWS IAM conditions in SCPs (service control policies) and Google Cloud context-aware access. However, the term conditional access is most heavily associated with Microsoft Entra ID and Microsoft 365 security. For the AZ-104 and SC-900 exams, understanding how to configure and troubleshoot conditional access policies is essential.
For the MS-900 exam, you need to know what conditional access is and its licensing requirements. For Security+ and CISSP, understanding policy-based access control and risk-based decisions is part of the broader IAM and security architecture domains. Conditional access can be thought of as the runtime engine that makes access decisions dynamic and context-aware, moving beyond static allow/deny lists to a risk-adaptive authorization model.
Real-Life Example
Imagine you run a small museum with a valuable exhibit. You have a security guard at the entrance, but the guard does not just check tickets. The guard follows a set of rules that change depending on the situation.
On a normal weekday, if a visitor shows a valid ticket, they are allowed in. But if the same visitor tries to enter after midnight, the guard calls the police. If a visitor shows a ticket but is dripping wet and carrying a large bag, the guard asks them to leave the bag in a locker and gives them a towel.
If a visitor shows a ticket but is wearing a mask and sunglasses, the guard asks for a second form of ID. If a visitor tries to use a ticket that was already scanned earlier that day, the guard denies entry. If a visitor has a ticket but the museum is already full, the guard asks them to wait.
If a visitor is a known VIP, the guard lets them skip the line but still checks their ticket. The guard does not just look at the ticket; the guard looks at the person, the time, the behavior, and the situation before making a decision. That is exactly how conditional access works in IT.
The ticket is the password. The security guard is the conditional access policy engine. The guard's rules are the policies you configure. When a user tries to access a company app, the system checks not just the password but also where they are (their IP address), what device they are using (is it company-managed?
), how risky the sign-in looks (is it from a known malware-infected IP?), what time it is, and whether they are trying to access sensitive data. Based on all those signals, the system decides to let them in, ask for more proof (like a code from their phone), restrict what they can do (like block downloads), or turn them away entirely.
The museum guard can also change the rules for special exhibits. Similarly, an IT admin can create different conditional access policies for different apps. For example, the finance app might require a compliant device and MFA every time, while the cafeteria menu app might just require a simple login.
The guard does not need to memorize each rule because the rules are written down in a manual. In IT, the rules are written in the conditional access policy configuration. The guard checks the manual before making a decision.
In IT, the policy is checked every time a user signs in. This makes access control dynamic, adaptive, and much harder for attackers to bypass. Even if a thief steals a ticket (password), the guard might still stop them because the thief looks nervous or is trying to enter at 3 AM from a location across the country.
That is the power of conditional access, it adds situational awareness to security.
Why This Term Matters
Conditional access matters because passwords alone are no longer sufficient to protect sensitive data. Cyber attackers constantly steal credentials through phishing, brute force, or data breaches. Once they have a username and password, they can impersonate a legitimate user and access company resources.
Conditional access adds a critical safety net by evaluating the context of every sign-in attempt. Even if a password is compromised, a conditional access policy can block the attacker if they are logging in from an unusual location, using an unrecognized device, or signing in at a strange time. This dramatically reduces the risk of a data breach.
For IT administrators, conditional access provides a powerful tool to enforce security policies without disrupting user productivity. Instead of requiring MFA for every single login, which frustrates users, you can require MFA only when the sign-in appears risky. Users in the office on a managed device can have a seamless experience, while a login attempt from a coffee shop in another country triggers additional verification.
This balance between security and usability is essential in modern organizations. Conditional access also supports compliance requirements. Many regulations, such as GDPR, HIPAA, and PCI-DSS, require organizations to implement strong access controls.
Conditional access allows you to enforce policies like requiring compliant devices for accessing health records or blocking access from countries without adequate data protection laws. Finally, conditional access is a cornerstone of Zero Trust architecture. In a Zero Trust model, every access request is treated as potentially hostile, and access is granted only after verification of identity, device health, and context.
Conditional access is the engine that makes Zero Trust operational in a cloud-first world. For IT professionals, understanding conditional access is no longer optional, it is a core skill for managing modern identity and security.
How It Appears in Exam Questions
Conditional access questions on exams typically fall into three patterns. The first pattern is scenario-based: you are given a business requirement and asked which conditional access settings to configure. For example: A company wants all users accessing financial data to use multi-factor authentication, but only when they are outside the corporate network.
Which conditional access assignments and conditions should you configure? You would need to select the correct app (financial app), users (all users), and conditions (locations: all untrusted networks), and then set grant control to require MFA. The second pattern is troubleshooting: a user reports they cannot access an app even though they typed the correct password.
The question provides details like the user is a contractor, using a personal device, and trying to access the app from home. You need to identify that a conditional access policy is blocking the request because the device is not compliant. You might then be asked how to fix it, such as by enrolling the device in Intune or excluding the user group from the policy.
The third pattern is conceptual: the question asks about the components of conditional access, the difference between grant and session controls, or the licensing required. For example: Which Azure AD license is required to use user risk as a condition in conditional access? The answer is Azure AD Premium P2.
Another variation asks about the order of evaluation: policies are evaluated after authentication but before a token is issued. A tricky question might display a policy with all conditions matched correctly but still not working because the policy is in report-only mode. Or a question about blocking legacy authentication because it does not support MFA, so you create a conditional access policy to block all legacy authentication protocols.
For the AWS SAA exam, the similar pattern uses IAM policies with conditions: allow access only if MFA is present or if the source IP is within a range. The question style is similar: you must pick the correct condition key and value. For Security+ and CISSP, the question might be something like: Which access control model evaluates user attributes before granting access?
The answer is attribute-based access control (ABAC), which is closely related to the concept of conditional access. Being able to map a scenario to the correct policy settings is key to passing these exam questions.
Practise Conditional access Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are an IT administrator for a company called TechSolve. The CEO, Sarah, has an iPad that she uses for work. She always logs in from the corporate office. One day, she travels to a conference in another country and tries to access the company's sales database from her hotel room.
She enters her password correctly, but access is blocked. She calls you saying she cannot log in. You check the conditional access policy you previously configured. The policy states: for the sales database app, require multi-factor authentication when the sign-in risk is medium or higher.
You also have a policy that blocks access from countries that are not on the approved list. When Sarah tried to sign in from the hotel, the sign-in risk was low, so the MFA policy did not trigger. However, her hotel's IP address was in a country that is not on your approved list.
The block policy was triggered, and she was denied access. You realize you need to add the conference country to the approved locations list temporarily, or create a policy that allows access from that country only when MFA is also completed. A better solution might be to configure a named location for the conference country with the hotel's IP range and set the policy to require MFA instead of blocking.
You adjust the policy, and Sarah successfully logs in after completing MFA with her phone. This scenario shows how conditional access policies interact with each other and why planning is critical. It also shows that a user can be blocked even with the correct password, which can be confusing but is intentional for security.
On the exam, you might be asked what the best solution is to allow Sarah to access the database securely. You would need to choose an answer that combines location allowance with MFA requirement, rather than simply removing the block policy.
Common Mistakes
Thinking conditional access replaces the need for passwords altogether.
Conditional access is an additional layer after authentication. The user still must provide their password or some other primary authentication factor. Conditional access evaluates context and applies controls like MFA or block, but it does not replace the initial authentication step.
Remember that conditional access policies are evaluated after the user authenticates with their credentials. The password is still required.
Assuming all users in the tenant are subject to the same conditional access policies by default.
Conditional access policies are not active until you create and enable them. If no policy is created, all users are allowed based on their credentials alone. Policies must be explicitly configured and assigned to users, groups, or roles.
Always check that a conditional access policy is enabled and assigned to the correct users and apps. Do not assume default protection exists.
Believing that blocking legacy authentication requires a separate conditional access policy that requires MFA.
Legacy authentication protocols like POP, IMAP, and SMTP do not support MFA, so requiring MFA in a policy will not block them. Instead, you must create a conditional access policy that specifically blocks legacy authentication by using the client apps condition and selecting 'Exchange ActiveSync clients' and 'Other clients' and setting the grant control to block access.
Create a dedicated conditional access policy to block legacy authentication protocols. Do not rely on requiring MFA to block them because legacy protocols skip MFA prompts.
Confusing grant controls with session controls.
Grant controls determine whether access is granted at all (e.g., require MFA, require compliant device, block). Session controls control what the user can do after access is granted (e.g., session lifetime, app-enforced restrictions, Cloud App Security session monitoring). They serve different purposes.
Use grant controls for identity verification and device compliance. Use session controls for limiting behavior within the app, like prohibiting file downloads.
Forgetting to exclude emergency break-glass accounts from conditional access policies.
If an administrator locks themselves out of the tenant by applying a restrictive policy to all global admins, they cannot get back in to fix the policy. Break-glass accounts with strong, separate credentials must be excluded from all conditional access policies.
Always include at least two emergency access accounts in the 'Exclude' section of every conditional access policy that targets admins.
Thinking that conditional access policies apply to service-to-service communication.
Conditional access policies only apply to interactive user sign-ins. Service principals, daemon apps, and automated scripts authenticate using client credentials or certificates and are not evaluated against conditional access policies.
Apply separate controls, such as app permissions and IP restrictions, for service accounts and automated app access.
Exam Trap — Don't Get Fooled
{"trap":"When a user is blocked, the exam answer suggests disabling the conditional access policy entirely to resolve the issue.","why_learners_choose_it":"Learners see that the policy is blocking the user and think the quick fix is to turn off the policy, which is a straightforward solution. They may not realize the security implications or that a more targeted fix exists."
,"how_to_avoid_it":"Instead of disabling the entire policy, you should modify the policy to exclude the specific user or group, or adjust the conditions to allow the legitimate access. Disabling a policy weakens security for all users. On the exam, always look for the answer that preserves security while resolving the blocker, such as adding a user to an exclusion group or changing the condition to be less restrictive only for that scenario."
Step-by-Step Breakdown
User initiates sign-in
The user opens an app or browser and attempts to log in with their username and password (or other primary credential). This triggers an authentication request to the identity provider, such as Microsoft Entra ID.
Authentication occurs
The identity provider verifies the user's credentials. If the password is incorrect, the user is denied immediately and no conditional access policy is evaluated. If the credentials are valid, the authentication token is not yet issued, but the user is considered authenticated.
Conditional access policy evaluation begins
The identity provider checks for any conditional access policies that apply to this user, the app being accessed, and the conditions set in the policy (like location, device platform, client app, risk). Policies are evaluated in a specific order, and if multiple policies apply, all must be satisfied.
Conditions are checked against the request
The system examines the conditions configured in each matched policy. For example, it checks the user's IP address against named locations, it checks the device compliance status from Intune, it checks the sign-in risk from Identity Protection, and it checks the client app type. If any condition is not met, the policy may not apply and evaluation stops for that policy.
Access controls are applied
If all conditions in a policy are met, the system applies the configured access controls. For grant controls, the system determines whether the user has satisfied the required controls (e.g., has MFA already happened, device is compliant). For session controls, the system prepares to enforce restrictions within the session.
User is prompted for additional verification if needed
If the policy requires MFA but the user has not yet performed MFA in this session, the user is prompted to complete MFA. Similarly, if the policy requires device enrollment or compliance, the user may be redirected to enroll their device or update security settings. The user must complete these steps before access is granted.
Token is issued or request is blocked
After all grant controls are satisfied, the identity provider issues a token that grants the user access to the requested app. If grant controls are not satisfied, the user is blocked and an error message is displayed. The token is never issued for blocked requests, so the resource is never exposed.
Session controls are enforced
If session controls are configured, they are applied after the token is issued. For example, the session lifetime may be limited, or the user may be redirected to a Cloud App Security session that monitors and restricts actions like copying data or printing. These controls remain active for the duration of the session.
Practical Mini-Lesson
Conditional access is one of the most powerful tools in a Microsoft 365 administrator's security toolkit, but it requires careful planning and testing. In practice, before you ever create a conditional access policy, you should use the 'What If' tool in the Azure portal to simulate how a policy will affect a specific user, app, and condition. This tool helps you avoid accidentally blocking yourself or critical users.
When configuring a policy, always start with the assignments: who does this apply to? Typically, you will apply policies to specific user groups rather than all users, so you can test with a pilot group first. The 'Exclude' section is just as important as 'Include' because you must always exclude emergency access accounts that are not subject to MFA or location restrictions.
Next, select the target cloud apps. You can apply a policy to all cloud apps, but be careful because that may override other specific policies. It is better to target specific apps like Exchange Online or SharePoint.
For conditions, the most commonly used conditions are location and device platform. For location, you should define named locations for your corporate office IP ranges. For device platform, you can target policies for mobile devices that might need MFA even inside the office.
The sign-in risk and user risk conditions require Azure AD Premium P2 licenses, but they are extremely valuable for adaptive access. For example, you can create a policy that blocks all sign-ins with high risk and requires MFA for medium risk. For access controls, the most common grant control is 'Require multi-factor authentication'.
Another important control is 'Require device to be marked as compliant', which requires the device to be enrolled in Intune and meet compliance policies. For session controls, the 'Use app enforced restrictions' control works with SharePoint and Exchange to enforce limited access for unmanaged devices. The 'Use Conditional Access App Control' redirects the user session through Microsoft Defender for Cloud Apps, allowing real-time monitoring and blocking of sensitive actions like downloading a file.
One important trap: conditional access policies are not applied to guest users in the same way unless you target them specifically. You must also remember that policies are evaluated once at sign-in and again at token refresh intervals, so a user might be forced to re-authenticate if their device falls out of compliance mid-session. During testing, always set the policy to 'Report-only' mode first.
Report-only mode logs what would have happened without actually blocking users. You can then review the sign-in logs to see if the policy would have blocked legitimate users. Only after verifying the impact should you switch the policy to 'On'.
Another common real-world issue is legacy authentication. Many older apps use protocols that do not support modern authentication, so they cannot evaluate conditional access policies. You should create a separate policy that explicitly blocks all legacy authentication protocols, as they bypass conditional access entirely.
Finally, monitor the sign-in logs regularly for failed conditional access attempts. These logs show you which polices are being triggered and can help you fine-tune your rules. Conditional access is not a set-and-forget feature; it requires ongoing management as users, devices, and threat landscapes evolve.
Memory Tip
Think of conditional access as a smart bouncer that checks not just the ticket but also the time, the outfit, and the behavior before letting anyone in.
Learn This Topic Fully
This glossary page explains what Conditional access means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →MS-900MS-900 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →AZ-900AZ-900 →CISSPCISSP →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Do I need a special license to use conditional access?
Yes. Conditional access is a feature of Azure AD Premium. Basic conditional access policies (like requiring MFA based on location) require Azure AD Premium P1. Risk-based policies require Azure AD Premium P2.
Can conditional access policies be applied to guest users?
Yes, but you must explicitly include guest users in the policy or target them via the 'External users' condition. They are not automatically covered by policies that target internal users only.
What does 'report-only mode' mean in conditional access?
Report-only mode allows you to test a policy without affecting users. The policy is evaluated and logged in the sign-in logs, but the access controls (like block or MFA) are not enforced. This is useful for testing before enabling the policy.
Why is legacy authentication a problem for conditional access?
Legacy authentication protocols like POP3, IMAP, and SMTP do not support modern authentication flows. They bypass conditional access policies entirely, so you must create a conditional access policy that specifically blocks these protocols.
How do I troubleshoot a user who is blocked by conditional access?
Check the Azure AD sign-in logs. Find the failed sign-in attempt and look at the 'Conditional Access' tab. It will show which policy was applied and why the user was blocked. You can also use the 'What If' tool to simulate the user's sign-in and see which policies would apply.
Can I create a conditional access policy that requires a user to accept terms of use?
Yes, you can use a grant control that requires a terms of use acceptance. This is useful for making users agree to company policies before accessing sensitive apps.
What happens if multiple conditional access policies apply to the same user and app?
All applicable policies must be satisfied. If one policy requires MFA and another requires a compliant device, the user must complete both. If one policy blocks access, the block takes precedence regardless of other policies.
Summary
Conditional access is a policy-based access control framework that evaluates contextual signals like user location, device health, sign-in risk, and app sensitivity to make real-time decisions about granting or blocking access. It acts as a critical layer of security beyond passwords, enabling organizations to implement adaptive, risk-aware access control. For IT professionals and exam candidates, understanding the components of a conditional access policy, including assignments, conditions, grant controls, and session controls, is essential.
The most common exam scenarios involve configuring policies to require MFA from untrusted locations, blocking legacy authentication, requiring compliant devices, and excluding emergency accounts. Conditional access is a core concept in Microsoft identity and security exams, including SC-900, MS-900, AZ-104, MD-102, MS-102, and others. It also appears in general security certifications like Security+ and CISSP under the broader topics of identity and access management and Zero Trust architecture.
Misunderstandings often arise around the difference between conditional access and MFA, the necessity of excluding break-glass accounts, and the treatment of legacy authentication. Practical skills like using the What If tool and sign-in logs for troubleshooting are invaluable in both real-world administration and exam questions. Conditional access is not a static feature; it requires careful planning, testing in report-only mode, and ongoing monitoring.
Mastery of conditional access is a strong indicator of readiness for roles in identity management, security administration, and cloud infrastructure.