Conditional Access and Identity Governance

Conditional Access: Signal → Decision → Enforcement

Conditional Access is the most important security control in a Microsoft 365 and Azure environment. It sits at the authentication point and evaluates every sign-in before granting access.

Signals (Inputs to the Decision)

CA evaluates these signals for every authentication:

• User or group membership — Different policies for executives, contractors, guest users, service accounts
• Application being accessed — Sensitive apps like Azure Portal or HR systems may require stronger controls
• Device state — Is the device Entra ID joined? Compliant with Intune policies? Hybrid joined?
• Location — Known corporate IP ranges, trusted countries, blocked countries
• Real-time sign-in risk — Microsoft Entra ID Protection evaluates risk signals (unfamiliar location, impossible travel, known attack patterns)
• User risk — Accumulated risk based on leaked credentials, abnormal behavior patterns
• Client application — Modern authentication vs legacy authentication (which doesn’t support MFA)

Decisions (What to Do)

Based on the signals, CA makes one of three decisions:

• Block access — Deny the authentication entirely
• Grant access with conditions — Allow access but require additional controls (grant controls)
• Grant access with session restrictions — Allow access but limit what the user can do (session controls)

Grant Controls vs Session Controls

Type	Grant Controls	Session Controls
When Applied	At sign-in time — before access is granted	After sign-in — controls the session itself
Purpose	Determine WHETHER to grant access	Determine HOW the session behaves
Examples	Require MFA, require compliant device, require Entra hybrid join, require approved client app, require terms of use acceptance	Sign-in frequency (force re-auth every N hours), persistent browser session (don't remember), app-enforced restrictions, Conditional Access App Control (Defender for Cloud Apps reverse proxy)
Enforcement	All-or-nothing — user meets the requirement or access is denied	Modifies the session behavior — user gets access but with limitations
Best For	Ensuring minimum security posture before allowing access	Limiting damage potential during the session — especially for risky scenarios or unmanaged devices

Core CA Policy Patterns

As an architect, you design a CA policy set that covers the organization’s security requirements. Here are the foundational patterns every organization needs:

Pattern 1: Block Legacy Authentication

Legacy authentication protocols (POP, IMAP, SMTP with basic auth) don’t support MFA. Attackers specifically target these protocols because they bypass your MFA requirements.

Signal: Client app = “Other clients” (legacy auth) Decision: Block access Why it matters: This single policy closes one of the most exploited authentication gaps.

Pattern 2: Require MFA for All Users

The baseline — every user must complete MFA for every sign-in that doesn’t come from a trusted context.

Signal: All users (with break-glass exclusions) Decision: Require MFA Exclusions: Emergency access accounts (break-glass) — these MUST be excluded from all CA policies

Pattern 3: Require Compliant Device for Sensitive Apps

For applications containing sensitive data, require that the device meets your organization’s compliance baseline (up-to-date OS, encryption enabled, antivirus running).

Signal: Target applications = HR system, finance portal, admin portals Decision: Require Intune-compliant device or Entra hybrid joined device Why it matters: MFA verifies the user. Device compliance verifies the device. Both are needed for sensitive access.

Pattern 4: Block or Limit Access from Untrusted Locations

For high-security scenarios, block access from countries where the organization doesn’t operate, or limit access to browser-only (no download capability).

Signal: Location = countries NOT in the allowed list Decision: Block access OR grant with session controls (app-enforced restrictions)

Pattern 5: Risk-Based Conditional Access

Use real-time risk signals from Entra ID Protection to dynamically adjust requirements.

Signal: Sign-in risk = Medium or High Decision: Require MFA + require password change (for user risk) Why it matters: Normal sign-ins aren’t disrupted. Risky sign-ins get extra verification. This is the heart of adaptive Zero Trust.

---

💰 Ingrid Designs CA for Multiple User Populations

Ingrid needs to design Conditional Access for Nordic Capital Partners, which has three distinct user populations with very different trust levels.

“We can’t apply the same policy to everyone,” Ingrid tells Yuki Tanaka, her IAM lead. “Our full-time employees, contractors, and partner auditors have completely different risk profiles.”

Employees (5,000 users):

• MFA required (phishing-resistant FIDO2 keys for sensitive roles, Microsoft Authenticator for others)
• Corporate-managed devices required for accessing financial systems
• Risk-based CA — medium risk triggers step-up MFA, high risk blocks and requires admin remediation
• 12-hour session duration from corporate network, 8-hour from home

Contractors (300 users):

• MFA required from ALL locations (no trusted network exception)
• Can only access specific applications assigned via entitlement management
• Session timeout: 4 hours (shorter than employees — higher risk profile)
• No access from non-compliant devices — browser-only via Conditional Access App Control with session restrictions

Partner Auditors (50 guest users):

• MFA required (trust partner’s MFA via cross-tenant access settings for Entra ID partners, email OTP for others)
• Access limited to specific SharePoint sites and Teams channels via access packages
• Block downloads on unmanaged devices — use app-enforced restrictions
• Session timeout: 8 hours, no persistent browser session
• Access automatically expires at audit end date

“The key insight,” Ingrid tells the team, “is that Conditional Access policies are cumulative. If a user matches multiple policies, the MOST restrictive controls apply. So we don’t need to worry about a contractor somehow getting employee-level access through a loophole — the contractor-specific policies layer on TOP of the baseline.”

Zero Trust Identity Architecture

Conditional Access is the policy engine, but Zero Trust identity architecture is the broader strategy. It follows three principles:

1. Verify Explicitly

Never trust based on location or network alone. Always authenticate and authorize based on all available data points — identity, device health, location, data classification, anomalies.

2. Use Least Privilege Access

Grant only the minimum permissions needed for the task. Use just-in-time access (PIM) for elevated roles. Use entitlement management to scope external access to specific resources.

3. Assume Breach

Design as if the attacker is already inside. Minimize the blast radius by segmenting access, requiring continuous verification (session controls, re-authentication), and monitoring everything.

Identity Governance

Conditional Access controls access at the point of authentication. Identity Governance ensures access remains appropriate over time — people change roles, projects end, partnerships expire. Without governance, organizations accumulate excessive access (privilege creep).

Access Reviews

Automated periodic review of who has access to what. Reviewers (managers, resource owners, or the users themselves) confirm or deny continued access.

Design decisions:

• Review frequency: Quarterly for sensitive groups, semi-annually for general access
• Reviewer: Manager (knows the person), resource owner (knows the resource), or self-review (fastest but least secure)
• Auto-remove: Automatically revoke access if the reviewer doesn’t respond within the review period
• Scope: Group membership, application assignment, access package assignment, privileged role assignment

Entitlement Management

Access packages bundle the resources a user needs for a specific scenario (e.g., “Audit access package” containing three SharePoint sites and two Teams channels). Users request access packages, go through an approval workflow, and access automatically expires.

Design decisions:

• Catalogs: Organize access packages by department or scenario
• Approval workflow: Single-stage (manager only) or multi-stage (manager + resource owner)
• Lifecycle: Maximum duration, renewal requirements, automatic expiration
• External users: B2B guest accounts can be automatically created and removed based on access package lifecycle

---

🌐 Elena Sets Up Quarterly Access Reviews

Elena is implementing access reviews for Meridian’s sensitive roles. She’s found that 40% of users in the “Finance Admins” security group have changed roles in the past year but still have finance admin access.

“This is textbook privilege creep,” Elena tells Li Wei. “People get access when they start a project, but nobody removes it when they move on. We need automated governance.”

Elena’s access review design:

• Quarterly reviews for all privileged role assignments (Global Admin, Exchange Admin, SharePoint Admin, Security Admin)
• Monthly reviews for the Finance Admins group (high-sensitivity financial data)
• Manager as reviewer — the user’s direct manager must confirm the access is still needed
• 14-day response window — if the manager doesn’t respond within 14 days, access is automatically removed
• Self-attestation for low-sensitivity groups — users confirm their own access for general distribution lists and non-sensitive Teams

“Isn’t automatic removal risky?” Li Wei asks. “What if a manager is on vacation and access gets revoked?”

“That’s why we set a 14-day window with reminder emails on day 1, day 7, and day 12,” Elena explains. “And if access IS revoked, the user can simply re-request it. The inconvenience of re-requesting is far less than the risk of stale privileged access sitting there for years.”

Lifecycle Workflows

Automated workflows that trigger on HR events — employee joining, moving between departments, or leaving the organization.

• Joiner: Automatically assign base access packages, create accounts, send welcome communications
• Mover: When department changes, automatically adjust group memberships and access packages
• Leaver: Automatically disable account, remove from groups, revoke access packages, initiate data retention workflows

Authentication Methods Strategy

The authentication methods you offer determine both security and usability. As an architect, you design the authentication methods policy that balances these concerns.

Phishing-resistant methods (highest security):

• FIDO2 security keys — physical keys that are immune to phishing
• Windows Hello for Business — biometric or PIN tied to the device’s TPM
• Certificate-based authentication — smart cards or derived credentials

Strong methods (good security, better usability):

• Microsoft Authenticator (push notification with number matching)
• Microsoft Authenticator (passkey)
• Temporary Access Pass — time-limited code for onboarding or recovery

Legacy methods (being phased out):

• SMS — vulnerable to SIM swapping
• Voice call — vulnerable to social engineering
• Email OTP — least secure, used for B2B guests without better options

Architecture recommendation: Phishing-resistant methods for privileged roles and sensitive access. Microsoft Authenticator with number matching as the baseline for all users. Disable SMS and voice call unless there’s a specific population that cannot use better methods.

SC-100 Exam Strategy: Conditional Access and Governance

Question

Click or press Enter to reveal answer

Answer

Click to flip back

Knowledge Check

Ingrid is designing Conditional Access for Nordic Capital Partners. Contractors should be able to access their assigned applications from any location but must always use MFA, and they should not be able to download files when using unmanaged devices. Which combination of controls achieves this?

AA. Grant control: Require MFA. Session control: Sign-in frequency of 1 hour.BB. Grant control: Require MFA and require compliant device. No session controls.CC. Grant control: Require MFA. Session control: App-enforced restrictions to block downloads on unmanaged devices.DD. Block access from unmanaged devices entirely.

Check Answer

Knowledge Check

Elena discovers that 40% of users in privileged security groups have changed roles but retained their elevated access. Which identity governance approach BEST addresses this ongoing problem?

AA. Implement a one-time manual audit of all privileged group membershipsBB. Configure quarterly access reviews with manager as reviewer and automatic removal for non-responsesCC. Remove all users from privileged groups and require them to re-request accessDD. Implement Conditional Access policies that block access from non-compliant devices for privileged groups

Check Answer

Knowledge Check

A security architect is designing the authentication methods strategy for a financial services company. Which approach best balances security and usability across different user populations?

AA. Require FIDO2 security keys for all 5,000 users to maximize securityBB. Allow SMS-based MFA for all users since it's the easiest to deployCC. Require phishing-resistant methods (FIDO2/WHfB) for privileged roles, Microsoft Authenticator with number matching for all other users, and disable SMS/voice callDD. Allow users to choose any authentication method they prefer

Check Answer

🎬 Video coming soon

---

Next up: Privileged Access Design — We’ll design PIM, PAM, privileged access workstations, the enterprise access model, and the critical break-glass account strategy.