Conditional Access (CA) is a security policy enforcement solution available with your Azure AD Premium P1 or Microsoft 365 Business Premium subscription. Once users initiate the log-in process with a password, the application employs If/Then logic to grant access or deny access based on certain conditions or “signals.”

Common Conditions

  • Correct Username and Password
  • Location of Login
  • Device itself is Compliant

Common Actions

  • Present MFA Challenge
  • Bypass MFA
  • Deny Access

Examples

  • If employee logs in with a device that’s assigned to them, in the correct country, and on a compliant network, they bypass MFA
  • If employee logs in with a device that’s assigned to them, in the correct country, but they are not on a compliant network they must complete an MFA challenge.
  • If employee logs in with a device that’s assigned to them, but not in the correct country, they are denied access.

Conditional Access Data Hierarchy

Guard+ View

Conditional Access Policies

Guard+ presents all the Policies that are in place

  • It’s status
  • Client applications involved
  • Risk Level Assigned to it
  • Service Principal Risk Levels
  • Which Platforms are included/excluded
  • When it was created and when it was modified

Conditional Access In/Excluded Groups, Users and Locations

We give the auditor not only the ability to see which Users, Groups, and Locations are assigned to a policy, but reverse searching which allows the Auditor to see which polices apply to a group, user or location.