docs.microsoft.com
Open in
urlscan Pro
2600:141b:9000:785::353e
Public Scan
Submitted URL: https://docs.microsoft.com/azure/active-directory/conditional-access/overview
Effective URL: https://docs.microsoft.com/en-ca/azure/active-directory/conditional-access/overview
Submission: On July 27 via api from CA — Scanned from CA
Effective URL: https://docs.microsoft.com/en-ca/azure/active-directory/conditional-access/overview
Submission: On July 27 via api from CA — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates and technical support.
Download Microsoft Edge More info
Table of contents Exit focus mode
Read in English Save
Table of contents Read in English Save Feedback Edit
Twitter LinkedIn Facebook Email
Table of contents
WHAT IS CONDITIONAL ACCESS?
* Article
* 04/15/2022
* 2 minutes to read
* 16 contributors
IN THIS ARTICLE
The modern security perimeter now extends beyond an organization's network to
include user and device identity. Organizations can use identity-driven signals
as part of their access control decisions.
Conditional Access brings signals together, to make decisions, and enforce
organizational policies. Azure AD Conditional Access is at the heart of the new
identity-driven control plane.
Conditional Access policies at their simplest are if-then statements, if a user
wants to access a resource, then they must complete an action. Example: A
payroll manager wants to access the payroll application and is required to do
multi-factor authentication to access it.
Administrators are faced with two primary goals:
* Empower users to be productive wherever and whenever
* Protect the organization's assets
Use Conditional Access policies to apply the right access controls when needed
to keep your organization secure.
Important
Conditional Access policies are enforced after first-factor authentication is
completed. Conditional Access isn't intended to be an organization's first line
of defense for scenarios like denial-of-service (DoS) attacks, but it can use
signals from these events to determine access.
COMMON SIGNALS
Common signals that Conditional Access can take in to account when making a
policy decision include the following signals:
* User or group membership
* Policies can be targeted to specific users and groups giving administrators
fine-grained control over access.
* IP Location information
* Organizations can create trusted IP address ranges that can be used when
making policy decisions.
* Administrators can specify entire countries/regions IP ranges to block or
allow traffic from.
* Device
* Users with devices of specific platforms or marked with a specific state
can be used when enforcing Conditional Access policies.
* Use filters for devices to target policies to specific devices like
privileged access workstations.
* Application
* Users attempting to access specific applications can trigger different
Conditional Access policies.
* Real-time and calculated risk detection
* Signals integration with Azure AD Identity Protection allows Conditional
Access policies to identify risky sign-in behavior. Policies can then force
users to change their password, do multi-factor authentication to reduce
their risk level, or block access until an administrator takes manual
action.
* Microsoft Defender for Cloud Apps
* Enables user application access and sessions to be monitored and controlled
in real time, increasing visibility and control over access to and
activities done within your cloud environment.
COMMON DECISIONS
* Block access
* Most restrictive decision
* Grant access
* Least restrictive decision, can still require one or more of the following
options:
* Require multi-factor authentication
* Require device to be marked as compliant
* Require Hybrid Azure AD joined device
* Require approved client app
* Require app protection policy (preview)
COMMONLY APPLIED POLICIES
Many organizations have common access concerns that Conditional Access policies
can help with such as:
* Requiring multi-factor authentication for users with administrative roles
* Requiring multi-factor authentication for Azure management tasks
* Blocking sign-ins for users attempting to use legacy authentication protocols
* Requiring trusted locations for Azure AD Multi-Factor Authentication
registration
* Blocking or granting access from specific locations
* Blocking risky sign-in behaviors
* Requiring organization-managed devices for specific applications
LICENSE REQUIREMENTS
Using this feature requires an Azure AD Premium P1 license. To find the right
license for your requirements, see Compare generally available features of Azure
AD.
Customers with Microsoft 365 Business Premium licenses also have access to
Conditional Access features.
Risk-based policies require access to Identity Protection, which is an Azure AD
P2 feature.
Other products and features that may interact with Conditional Access policies
require appropriate licensing for those products and features.
NEXT STEPS
* Building a Conditional Access policy piece by piece
* Plan your Conditional Access deployment
* Learn about Identity Protection
* Learn about Microsoft Defender for Cloud Apps
* Learn about Microsoft Intune
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
Theme
* Light
* Dark
* High contrast
*
* Previous Version Docs
* Blog
* Contribute
* Privacy & cookies
* Terms of Use
* Trademarks
* © Microsoft 2022
IN THIS ARTICLE
Theme
* Light
* Dark
* High contrast
*
* Previous Version Docs
* Blog
* Contribute
* Privacy & cookies
* Terms of Use
* Trademarks
* © Microsoft 2022