Conditional Access (CA) is a security policy enforcement solution available with your Azure AD Premium P1 or Microsoft 365 Business Premium subscription. Once users initiate the log-in process with a password, the application employs If/Then logic to grant access or deny access based on certain conditions or “signals.”
Common Conditions
- Correct Username and Password
- Location of Login
- Device itself is Compliant
Common Actions
- Present MFA Challenge
- Bypass MFA
- Deny Access
Examples
- If employee logs in with a device that’s assigned to them, in the correct country, and on a compliant network, they bypass MFA
- If employee logs in with a device that’s assigned to them, in the correct country, but they are not on a compliant network they must complete an MFA challenge.
- If employee logs in with a device that’s assigned to them, but not in the correct country, they are denied access.
Conditional Access Data Hierarchy
Guard+ View
Conditional Access Policies
Guard+ presents all the Policies that are in place
- It’s status
- Client applications involved
- Risk Level Assigned to it
- Service Principal Risk Levels
- Which Platforms are included/excluded
- When it was created and when it was modified
Conditional Access In/Excluded Groups, Users and Locations
We give the auditor not only the ability to see which Users, Groups, and Locations are assigned to a policy, but reverse searching which allows the Auditor to see which polices apply to a group, user or location.