This chapter covers Conditional Access and Multi-Factor Authentication (MFA) in Microsoft Entra ID (formerly Azure Active Directory). These are critical identity security controls that protect access to Azure resources and cloud applications. On the AZ-900 exam, this objective falls under Domain 2 (Azure Architecture and Services), specifically objective 2.5: Describe identity, governance, privacy, and compliance features. While the exact weight varies, identity topics typically account for 15-20% of the exam. Understanding Conditional Access and MFA is essential because they are the primary mechanisms for enforcing Zero Trust security—a key concept Microsoft emphasizes. You will be tested on what they are, how they work, and when to use them, not on configuring them in detail.
Jump to a section
Imagine a bank vault that holds your company's most sensitive data. Traditionally, a single key (a password) is enough to open it. But if that key is stolen or guessed, the vault is compromised. Now, introduce a second lock that requires a different key—say, a fingerprint scan or a one-time code sent to your phone. Even if someone steals your password, they cannot open the vault without your fingerprint. This is exactly how Conditional Access and MFA work in Azure. Conditional Access is like a security guard who checks the context: Is it a normal business hour? Is the person using a trusted device? Is the location unusual? Based on these conditions, the guard decides whether to require the second key (MFA) or deny access altogether. MFA is the second lock—it verifies identity using something you know (password), something you have (phone), or something you are (biometrics). Together, they ensure that even if credentials are compromised, unauthorized access is blocked. The mechanism is not just about adding steps; it's about dynamically adjusting security based on risk, just like a bank that increases scrutiny for a late-night withdrawal from a foreign location.
What is Conditional Access and MFA?
Conditional Access is a feature of Microsoft Entra ID that allows you to enforce access controls based on signals or conditions. It is the policy engine that decides whether to grant access, require additional verification (like MFA), or block access entirely. MFA (Multi-Factor Authentication) is a specific security method that requires two or more forms of verification from independent categories: something you know (password), something you have (phone, hardware token), or something you are (fingerprint, facial recognition).
Business Problem: Passwords are weak. They are often reused, guessed, or phished. Even strong passwords can be stolen. Conditional Access and MFA solve this by adding layers of verification and by making access decisions context-aware. For example, an employee logging in from a known device on the corporate network might only need a password, but the same employee logging in from a coffee shop in a foreign country would be prompted for MFA or blocked.
How It Works: The Mechanism
Conditional Access works like an if-then logic engine. When a user attempts to access a resource (e.g., Azure portal, Office 365, a custom app), Microsoft Entra ID evaluates the request against the Conditional Access policies. The evaluation flow is:
1. Signals Collection: Entra ID gathers signals such as user identity, device state (compliant or not), location (IP address, country), application being accessed, risk level from Identity Protection, and time of day. 2. Policy Evaluation: The collected signals are compared against the conditions defined in each policy. Conditions can include: user/group membership, location (trusted or untrusted), device platform, application, and sign-in risk. 3. Decision: Based on the policy, one of three actions occurs: - Grant Access: Allow access (possibly with session controls like app restrictions). - Require Additional Verification: Prompt for MFA, require a compliant device, or accept terms of use. - Block Access: Deny access entirely.
Example Policy: "If user is in the Finance group AND accessing the Payroll app from an untrusted location, then require MFA and block access if device is not compliant."
Key Components
Conditions: The 'if' part of the policy. Common conditions include:
- User or group membership - Cloud apps or actions (e.g., Azure Management, Office 365) - Device state (compliant, domain-joined) - Location (IP ranges, countries) - Sign-in risk (low, medium, high) - Client apps (browser, mobile app, legacy auth) - Access Controls: The 'then' part. Grant controls include:
- Require MFA - Require device to be marked as compliant - Require Hybrid Azure AD joined device - Require approved client app - Require app protection policy - Require password change - Require terms of use - Session Controls: Fine-grained controls like app-enforced restrictions or Conditional Access App Control.
Tiers and Licensing
Conditional Access is available in different tiers: - Free/Basic (Azure AD Free): Limited. Only basic Conditional Access via security defaults (predefined policies that enforce MFA for all users, block legacy authentication, etc.). - Azure AD Premium P1: Full Conditional Access policies with conditions like location, device state, and application. This is the minimum for custom policies. - Azure AD Premium P2: Adds Identity Protection integration (risk-based Conditional Access) and Privileged Identity Management.
MFA itself is included with all tiers, but Conditional Access policies to enforce MFA require P1 or P2 (unless using security defaults).
Comparison to On-Premises Equivalent
On-premises, organizations used Active Directory with Group Policy and maybe a VPN with RADIUS for MFA. This was static: you either required MFA for all remote access or not. Conditional Access is dynamic and cloud-based. It evaluates risk in real time, integrates with thousands of SaaS apps, and can be updated centrally without touching servers. There is no on-premises equivalent that offers the same level of granularity and automation.
Azure Portal and CLI Touchpoints
To manage Conditional Access in the Azure portal: navigate to Microsoft Entra ID > Security > Conditional Access. Here you can create new policies or view existing ones. Policies are JSON-based and can also be managed via Microsoft Graph API or PowerShell.
PowerShell example (using Microsoft Graph module):
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Require MFA for Admins"
state = "enabled"
conditions = @{
users = @{
includeUsers = @("admin@contoso.com")
}
applications = @{
includeApplications = @("All")
}
}
grantControls = @{
builtInControls = @("mfa")
operator = "OR"
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsCLI example (using Azure CLI with Microsoft Graph extension): Not natively available; use Microsoft Graph API or PowerShell.
ARM/Bicep: Conditional Access policies are not directly deployable via ARM templates; use Microsoft Graph API or PowerShell/CLI with Graph.
Enable Security Defaults
If your tenant is on the Free tier, the easiest way to enforce MFA is to enable Security Defaults. In the Azure portal, go to Microsoft Entra ID > Properties > Manage Security Defaults. Set it to 'Enabled'. This automatically creates policies that require MFA for all users, block legacy authentication (e.g., POP3, IMAP), and protect privileged activities. Behind the scenes, Azure creates a baseline Conditional Access policy. This is a one-click solution but offers no customization. On the exam, remember that Security Defaults are for organizations that want basic security without extra cost (Azure AD Free).
Create a Conditional Access Policy
With Azure AD Premium P1 or P2, you can create custom policies. In the Conditional Access blade, click '+ New policy'. Give it a name. Under 'Assignments', configure the 'Users and groups' (e.g., all users or specific groups). Under 'Cloud apps or actions', select the target apps (e.g., 'All cloud apps' or 'Office 365'). Under 'Conditions', set location, device state, etc. For example, set 'Locations' to 'Any location' except trusted IPs. Then under 'Access controls', choose 'Grant' and check 'Require multi-factor authentication'. Set 'Enable policy' to 'Report-only' first to test, then 'On'. The policy is evaluated at every sign-in.
Configure MFA Settings
MFA settings are managed under Microsoft Entra ID > Users > Per-user MFA (legacy) or via Conditional Access policies. The modern approach is to let Conditional Access enforce MFA. However, you can also configure MFA methods (phone call, text, app notification, OATH token) under MFA settings. Users register their methods at https://aka.ms/mfasetup. On the exam, know that MFA can be enforced per-user (legacy) or via Conditional Access (recommended). Per-user MFA requires each user to be enabled individually and always prompts for MFA, whereas Conditional Access allows risk-based prompting.
Test the Policy in Report-Only Mode
Before enabling a Conditional Access policy, set it to 'Report-only' mode. This logs the policy's effect without blocking or prompting users. You can review the results in the 'Sign-in logs' under the 'Conditional Access' tab. This helps you understand impact without disrupting users. For example, if you create a policy to block legacy authentication, report-only will show you which users would have been blocked. This is critical for troubleshooting. On the exam, know that report-only is a key feature for testing policies safely.
Monitor and Troubleshoot
After enabling policies, monitor sign-in logs and Conditional Access insights. In the Azure portal, go to Microsoft Entra ID > Monitoring > Sign-in logs. Filter by 'Conditional Access' to see which policies applied. If users are unexpectedly blocked, check the 'Conditional Access' tab in the sign-in event details. Common issues: users not registered for MFA, device not compliant, or location mismatch. Also, use the 'What If' tool in the Conditional Access blade to simulate a sign-in and see which policies would apply. This helps pre-validate policy changes.
Scenario 1: Remote Work Security A company with 500 employees transitions to remote work. They use Office 365 and a custom CRM. The security team wants to ensure that only managed devices can access corporate data. They create a Conditional Access policy: If the user is accessing Office 365 or the CRM, and the device is not marked as compliant (via Intune), then require MFA and block access if device is not compliant. They also require device enrollment in Intune. The result: employees must enroll their personal laptops in Intune and comply with security policies (e.g., encryption, antivirus). If a device is lost, the admin can wipe it remotely. Cost: Azure AD Premium P1 licenses for all users, plus Intune licenses. If set up incorrectly (e.g., excluding too many users or not enforcing device compliance), a stolen device could access data without MFA.
Scenario 2: High-Risk Sign-In Response A financial services firm uses Azure AD Premium P2 and Identity Protection. They configure a Conditional Access policy that triggers when sign-in risk is medium or high. The policy requires MFA and forces a password change. For example, if a user's credentials appear on the dark web, Identity Protection raises the user risk. On the next sign-in, Conditional Access evaluates the risk condition and requires MFA + password change. This prevents compromised accounts from being used. If the policy is too aggressive (e.g., low risk triggers MFA), users may be prompted frequently, causing frustration. Conversely, if risk thresholds are too high, compromised accounts may go undetected.
Scenario 3: Block Legacy Authentication A healthcare provider discovers that many data breaches originate from legacy protocols like POP3 and SMTP, which do not support MFA. They create a Conditional Access policy to block all legacy authentication. The policy condition: Client apps > Other clients (legacy). Access control: Block access. This immediately stops attackers using brute-force attacks on legacy protocols. However, if the policy is applied without testing, users with legacy email clients (e.g., Outlook 2010) will lose email access. The solution: communicate the change and upgrade clients. Common mistake: forgetting to exclude service accounts that use legacy protocols for system emails, causing outages.
Objective Code: AZ-900 Domain 2, Objective 2.5: Describe identity, governance, privacy, and compliance features. Specifically, you need to 'describe the capabilities of Microsoft Entra ID, including Multi-Factor Authentication (MFA) and Conditional Access.'
What AZ-900 Tests: You will NOT be asked to write policies or configure MFA. Instead, focus on:
The purpose of Conditional Access: to enforce access controls based on conditions (not just MFA).
The difference between MFA and Conditional Access: MFA is a control; Conditional Access is the policy engine that can require MFA.
Security Defaults vs. Conditional Access: Security Defaults are for basic protection (Free tier); Conditional Access requires Premium P1 or P2.
Key conditions: location, device state, sign-in risk, application.
That Conditional Access can block access, require MFA, require compliant device, etc.
That MFA can be enforced per-user (legacy) or via Conditional Access (modern).
Common Wrong Answers and Why: 1. 'Conditional Access is only for MFA.' Wrong: It can also block access, require compliant device, etc. Candidates choose this because MFA is the most common use case. 2. 'MFA requires Azure AD Premium P1.' Wrong: MFA is available in Free tier via Security Defaults or per-user MFA. Conditional Access policies to enforce MFA require P1. Candidates confuse MFA with Conditional Access. 3. 'Conditional Access policies apply to all users by default.' Wrong: Policies are scoped to specific users/groups. If not assigned, they don't apply. Candidates assume blanket enforcement. 4. 'Security Defaults and Conditional Access are mutually exclusive.' Wrong: If you enable Security Defaults, you cannot create custom Conditional Access policies unless you disable Security Defaults. But you can use one or the other.
Specific Terms and Values: - 'Security Defaults' – a set of predefined policies. - 'Conditional Access' – the policy engine. - 'Multi-Factor Authentication' – requires two or more verification methods. - 'Report-only mode' – allows testing without enforcement. - 'Legacy authentication' – protocols that don't support MFA.
Edge Cases: - Conditional Access policies are evaluated after authentication. If a user is blocked, they may still see a sign-in page before being denied. - MFA registration is separate from policy enforcement. Users must register before a policy requires MFA. - 'What If' tool lets you simulate a sign-in without affecting users.
Memory Trick: Think of Conditional Access as a 'bouncer' at a club. The bouncer checks conditions (ID, dress code, guest list) before deciding: let you in (grant), ask for extra ID (MFA), or kick you out (block). MFA is just one of the bouncer's possible actions.
Conditional Access is a policy engine in Microsoft Entra ID that enforces access controls based on conditions like user, location, device, and risk.
MFA is a security control that requires two or more verification methods (password + phone, app, or biometric).
Security Defaults provide basic Conditional Access and MFA at no extra cost for Azure AD Free tenants.
Custom Conditional Access policies require Azure AD Premium P1 or P2 licenses.
Conditional Access can block access, require MFA, require compliant device, require Hybrid Azure AD join, or enforce session controls.
Report-only mode allows administrators to test policies before enforcement.
Legacy authentication (e.g., POP3, IMAP, SMTP) does not support MFA and should be blocked via Conditional Access.
The 'What If' tool simulates sign-ins to preview policy effects.
These come up on the exam all the time. Here's how to tell them apart.
Security Defaults
Available in Azure AD Free tier
Predefined policies: MFA for all users, block legacy auth, protect privileged activities
No customization possible
Cannot be disabled once enabled without turning off all policies
Suitable for small organizations or those without Premium licenses
Conditional Access (Custom)
Requires Azure AD Premium P1 or P2
Fully customizable conditions (location, device, risk, app, etc.)
Multiple grant and session controls (MFA, compliant device, terms of use, etc.)
Report-only mode for testing
Suitable for enterprises requiring granular access control
Mistake
MFA and Conditional Access are the same thing.
Correct
MFA is a verification method; Conditional Access is a policy engine that can require MFA as one of its controls. You can have MFA without Conditional Access (e.g., per-user MFA), but Conditional Access is more flexible.
Mistake
Conditional Access requires Azure AD Premium P2.
Correct
Conditional Access requires Azure AD Premium P1 for custom policies. P2 adds Identity Protection integration for risk-based policies. Security Defaults provide basic Conditional Access at no extra cost.
Mistake
Once you enable MFA, users are always prompted for a second factor.
Correct
With Conditional Access, MFA prompting can be conditional (e.g., only from untrusted locations). Per-user MFA always prompts. Azure also uses session tokens to reduce prompts for 90 days by default.
Mistake
Conditional Access can only be used for cloud apps.
Correct
Conditional Access can also protect on-premises applications through Azure AD Application Proxy, but the policy evaluation is still done in the cloud.
Mistake
Security Defaults provide the same functionality as Conditional Access.
Correct
Security Defaults are a fixed set of policies (MFA for all users, block legacy auth, etc.) with no customization. Conditional Access allows granular conditions like location, device state, and risk.
MFA (Multi-Factor Authentication) is a method of verifying identity using two or more factors. Conditional Access is a policy engine that uses signals (like location or device) to decide whether to require MFA, block access, or allow access. On the exam, remember that MFA is a control, while Conditional Access is the decision-making framework that can enforce MFA.
No. MFA is available in the Azure AD Free tier through Security Defaults or per-user MFA (legacy). However, to create custom Conditional Access policies that enforce MFA based on conditions, you need Azure AD Premium P1 or P2. Security Defaults are a one-click solution for basic MFA without Premium.
Sign-in risk is a feature of Azure AD Identity Protection, which requires Azure AD Premium P2. It detects risky sign-ins (e.g., from anonymous IP, unfamiliar location). Conditional Access can use this risk level (low, medium, high) as a condition to require MFA, block access, or force password change.
Legacy authentication refers to protocols like POP3, IMAP, SMTP, and older Office clients that do not support modern authentication methods like MFA. Attackers often target these protocols because they bypass MFA. Conditional Access can block legacy authentication by selecting 'Other clients' under client apps.
Yes. Conditional Access policies have a 'Report-only' mode that logs the policy's effect without enforcing it. You can view results in the sign-in logs. Additionally, the 'What If' tool lets you simulate a sign-in with specific conditions to see which policies would apply.
By default, after a successful MFA, Azure AD will not prompt again for 90 days from the same device and location. This is configurable via Conditional Access session controls (sign-in frequency). For per-user MFA, the interval is 90 days by default.
Conditional Access primarily protects cloud apps (like Office 365, Azure, custom SaaS). However, it can also protect on-premises apps published via Azure AD Application Proxy. The policy evaluation is always performed by Azure AD in the cloud.
You've just covered Conditional Access and MFA — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?