HomeResourcesGlossaryMFA
Cybersecurity Glossary

What is Conditional Access?

Conditional Access is a policy-driven access control approach that evaluates signals such as user identity, device health, location, and risk level in real time before granting access to applications or data. If the signals look unusual, the request is blocked or challenged.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How Conditional Access works

Three-step view of how it operates in practice.

1

Collect signals

When a user tries to sign in, the system captures signals: user, device posture, location, IP reputation, application sensitivity.

2

Evaluate policy

Signals are compared against policies you define — for example, block sign-ins from countries you don’t operate in, or require MFA on personal devices.

3

Grant, challenge, or block

Based on the evaluation, the request gets through, gets a step-up challenge (MFA or device compliance), or is blocked outright.

Conditional Access Variants

Common conditional access policy patterns

A clear breakdown of the common variants.

Common

Location-based

Block sign-ins from countries outside your operating footprint.

Most common

Device-based

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Application-sensitivity

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Risk-based

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Conditional Access matters for SMBs

Conditional Access is a policy-driven access control approach that evaluates signals such as user identity, device health, location, and risk level in real…

99.9%
reduction in account compromise when conditional access is paired with MFA
Source: Microsoft Digital Defense Report, 2024
Pitfalls

Common Conditional Access mistakes

  • Policies only for end usersAdmin and service accounts need the strictest policies. Attackers target them first.
  • No emergency break-glass accountAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • Testing in productionUse report-only mode to preview policy impact before enforcement.
  • Forgetting guests and vendorsExternal collaborators need conditional access too, especially for sensitive apps.
Common Questions

Conditional Access frequently asked questions

No. MFA is one possible response to a risky sign-in. Conditional access is the policy engine that decides when MFA should be required, when to block entirely, and when to allow.
Yes. Conditional access in Microsoft 365 requires Entra ID P1 (included in Business Premium) or P2 (adds risk-based policies). Many SMBs already own the license and don’t know.
They see a message explaining why. Admins can review sign-in logs to understand which policy blocked them and adjust.
Most SMBs run well on 5-10 targeted policies. Too many overlapping policies make troubleshooting painful.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

Conditional Access

Policies that adapt to device, location, and risk signals.

Zero Trust

A security model that verifies every request as if it came from an open network.

IAM

Give users only the access they need — nothing more.

Least Privilege

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Need help designing conditional access policies?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day