Posted by Andrew Ballantyne on 8th February 2021

Understanding Conditional Access

In my recent LinkedIn post, I provided 4 suggestions as to how organisations can secure their remote workers, a thing I’m sure most would agree is of paramount importance under circumstances. Last week, the first of the 4 suggestions I looked at was Azure Information Protection. The second of the 4 I'm going to elaborate on this week is Conditional Access.

It is now more than ever that we need the mobility and flexibility that cloud products like Office 365 offer our organisations. That said, given that we don’t always have control over the devices or networks that our remote workers are connecting from, there are plenty of security challenges we’re faced with. The problem therefore is enabling mobility without compromising security. This is where Conditional Access comes into the picture.

What is Conditional Access and How does it Work?

For those who’ve never heard of conditional access, you can probably take a reasonable guess as to what it does. It restricts access to an organisation’s platforms and data by enforcing standards that must be met by a device or network before accessing information. It does this by doing 2 things:

  1. It collects signals using your organisation’s Active Directory. For the purposes of clarity, the most common signals are as follows:
    1. IP locations
    2. Users and User Groups
    3. Applications
    4. Devices
    5. Risk signals- which I will elaborate on below
  2. It then evaluates those signals against the policy rules you have put in place using basic ‘if-then’ statements. Here is an example:


IF: a user is not logging in from [insert IP address],

THEN: enforce multifactor authentication.


It may be the case that an organisation sets up multiple policies for various scenarios. In cases where multiple policies a relevant to more than one user or user group, an ‘and’ rule will be automatically applied, meaning that that user or user group will be subjected to all policy stipulations, rather than one superseding the other.

To quickly to refer back to signals and the associated restrictions, ‘IP locations’ can be set up to be as far-reaching as to restrict access to entire countries and regions, all the way down to individual IP addresses.

With regards to ‘risk signals’, the integration of Conditional Access with Azure AD allows for the identification of unusual or risky sign in behaviours. The ‘then’ action that is taken off the back of this is down to the organisation’s policies, but to give you an idea, password rests or multi-factor authentication can then be enforced upon the user under such circumstances.

Thinking about Conditional Access in Practical Terms

Let’s take a second to look back to the initial point made at the beginning- Conditional Access is about enabling mobility without compromising on security. A good example of a policy we’ve implemented for one of our customers that supports this mutual agreement between remote working and security is:

              IF: a ‘non-compliant’ device attempts to log on

THEN: allow access but only when connected to the web, and do not allow the user to download company information onto their ‘non-compliant’ device.

‘Non-compliant’ is whatever you define it to be, which takes me onto my next point.

Understanding what you need to do to effectively implement Conditional Access basically requires you to ask 2 things:

  1. What does a ‘compliant device’ look like for my organisation (i.e. what fits your idea of sufficiently secure). Here are some suggestions to get you started:
    1. Is it a company owned device?
    2. Does the device require encryption?
    3. Does it have a secure pin that meets our complexity requirements?
    4. Is it running antivirus?
    5. Is the device jailbroken?

As you can see, the questions you pose at this stage will effectively form the basis of the rules you apply to your organisation’s policies.

  1. Now that I know what a ‘compliant device’ is, what do I want to happen if a device fails to meet the standards set? Perhaps you want to restrict non-compliant devices from accessing your Office 365 platform? This is all up to you and what works for your organisation, which is the beauty of the product. It puts granular rule-making into your hands.


Final Remarks

Hopefully, you will have an idea of what Conditional Access is and, even better, you might be starting to develop ideas as to how this is both useful now and as part of your longer IT strategy. Let’s face it, even if/when we do return to our offices, the need for remote working is hardly unlikely to diminish, therefore making Conditional Access the tool in your kit that is perfectly suited to secure your end users in this modern landscape of remoteness.


What's Next?

If you want to understand more about how Conditional Access works, Click Here. It will take you to a blog where you can watch a recent webinar recording where we looked at Conditional Access.

Recent Posts

Some of our happy clients...

Drop us a message...