IDSync — identity software buyer platform
Run Stack Finder

Authentication

Conditional Access

Conditional Access is an IdP policy capability that evaluates signals (user, device, location, app, risk score) at authentication time and decides whether to allow, block, require MFA, require a compliant device, or require step-up authentication.

Last reviewed 5/30/2026

Key points

  • Originated as Microsoft Conditional Access in Entra ID; Okta calls it 'Adaptive Authentication,' Google calls it 'Context-Aware Access.'
  • Signals: user/group, sign-in risk, user risk, device compliance, location/IP, application, client type.
  • Outcomes: allow, block, require MFA, require compliant device, require password change, session restrictions.
  • Foundation of Zero Trust workforce identity — replaces 'on the corporate network' as the implicit trust signal.
  • Effectiveness depends on signal quality (device posture telemetry, threat intelligence, behavioral analytics).

What is Conditional Access?

Conditional Access is the policy layer in a modern IdP that decides — at the moment of authentication or session establishment — whether to allow, deny, or step up a request based on context. Instead of "if password+MFA succeeds, allow," conditional access asks:

  • Who is the user? (group membership, employment status)
  • What's the user's risk score? (impossible travel, leaked credentials, anomalous behavior)
  • What device are they on? (managed, compliant, jailbroken, unknown)
  • Where are they? (country, IP reputation, named location)
  • What app are they trying to reach? (high-risk, regulated, public)
  • How are they connecting? (browser, legacy auth, modern auth, native app)

…and then enforces an outcome: allow, block, require phishing-resistant MFA, require a managed compliant device, force a password reset, or restrict the session (no download, no clipboard).

When buyers care

  • Zero Trust adoption — conditional access is how the "never trust, always verify" principle becomes policy.
  • Compliance — SOC 2, ISO 27001, NYDFS, HIPAA all benefit from documented adaptive access rules.
  • Insider risk and account takeover — risky-sign-in and risky-user signals catch what static MFA misses.
  • BYOD / contractor access — block unmanaged devices from sensitive apps without a full MDM rollout.

Common policies worth implementing

  1. Require phishing-resistant MFA for admin roles — non-negotiable.
  2. Block legacy authentication protocols — basic auth, IMAP/POP/SMTP on Microsoft 365.
  3. Require compliant device for finance / source code / customer data apps.
  4. Block sign-ins from countries you don't operate in (with break-glass exceptions).
  5. Force step-up for high-risk sign-ins — risk score above threshold, new device, new location.

Common mistakes

  • No break-glass account — locking yourself out of your own IdP because every admin needs a managed device that no longer exists.
  • Policy sprawl — too many overlapping policies make outcomes unpredictable. Use a small set of well-named policies.
  • Trusting "trusted networks" too much — VPN IPs and corporate egress aren't trust signals anymore.

Editorial note

Conditional access is genuinely the highest-ROI security feature in modern IdPs. If you have Entra ID P1/P2 or an Okta plan with adaptive auth, the policies above pay for themselves.