CAMPUX Cloud Bootcamp
Field notes · Identity
Conditional Access

Conditional Access: the if-then engine that decides who really gets in

By Victor Thomson16 July 20266 min read

A correct password used to mean "you're in." That assumption is how accounts get breached. Conditional Access replaces it with a question: given who you are, where you are, and what you are signing in from — should you get in, and on what terms?

In a cloud world, the network perimeter is gone and identity is the real front line. Microsoft Entra Conditional Access is the control that makes identity do that job. Microsoft calls it exactly what it is: "Microsoft's Zero Trust policy engine," which "brings signals together, to make decisions, and enforce organizational policies." In plain terms, it sits between a successful sign-in and the resource, weighs the context, and decides whether to wave you through, block you, or ask for more proof.

It is an if-then statement

Strip away the enterprise language and a Conditional Access policy is a rule you already understand. The docs put it plainly: policies "at their simplest are if-then statements." If a user wants to reach a resource, then they must satisfy a condition — for example, if someone opens a sensitive app, then they must complete multifactor authentication. That is the entire mental model. Everything else is just richer ifs and stronger thens.

One thing to get right

Conditional Access runs after first-factor authentication — the password step already happened. So it is not a wall at the very front; it is the checkpoint just inside the door that decides what that verified identity may actually do. It is not designed to stop a denial-of-service flood; it is designed to govern authenticated access.

Signals: the "if"

The power is in how many signals it can weigh when deciding. Common ones include:

Because it combines these, you can express nuance that a flat rule cannot: "an admin, from an unmanaged device, in a new country" is a very different request from "a regular user, on a compliant laptop, in the office" — and Conditional Access can treat them differently.

Decisions: the "then"

Once it has weighed the signals, a policy lands on a decision. At the extremes it is block access (the most restrictive) or grant access — but the interesting middle is grant, with conditions:

A password says who you claim to be. Conditional Access asks whether — given everything else — that claim is good enough to let you in right now.

The policies you will actually write

Most organizations start from the same short list of high-value rules:

All of it ladders up to the three Zero Trust principles Conditional Access exists to serve — verify explicitly, use least privilege, assume breach. When an interviewer asks how you would secure sign-ins beyond a password, "Conditional Access policies — for example, require MFA for admin roles and block legacy auth — as the Zero Trust policy engine on top of Entra" is the answer that shows you think in identity, not firewalls. (Note: it is an Entra ID P1 feature, so the licensing is worth knowing.)

Further reading — the Microsoft docs
Drilled in Class 7 — Entra, Subscriptions & Groups. Back to all field notes →