Conditional Access in Azure Active Directory

With the proliferation of BYOD (Bring Your Own Device), remote working, and 3rd party SaaS (Software as a Service) apps usage, that further promotes the “anywhere, any device” concept, more than ever, we need solutions that can help protect the company’s information.

Microsoft Azure Active Directory’s Conditional Access answers some of these “how” concerns of Security Management. This is one of many solutions that can help protect your environment. Other Security Management concept include, Azure Information Protection, Privilege Account workstations, Windows Information Protection which have been covered in our previous blogs.

Today IT security is based on layered protection; you have to choose not one but many solutions to protect you from the threats you encounter in the information protection space.

Conditional access is a capability of Azure Active Directory that enables you to define conditions under which only authorized users can access your apps. With controls, you can either tie additional requirements to the access, or you can block it. The implementation of conditional access is based on policies. A policy-based approach simplifies your configuration experience because it follows the way you think about your access requirements.

Here are some scenarios where conditional access feature can be helpful:

  1. You want more control over how the right people are accessing information under certain conditions.
  2. You have requirements under which you want to block access to certain apps even for the right individuals.
  3. You want to all employees to use certain application from the office network; However, you do not want them to access these apps from an untrusted network.

In the context of Azure Active Directory conditional access,

  • When this happens” is called “Condition Statement”
  • Then do this” is called “Controls”

The combination of a condition statement with your controls represents a conditional access policy.

Each control is either a requirement that must be fulfilled by the person or system signing in or a restriction on what the user can do after signing in.

There are two types of controls:

  1. Grant controls – To gate access
  2. Session controls – To restrict access to a session

1. Grant controls – Grant controls oversee whether a user can complete authentication and reach the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed. The current implementation of Azure Active Directory enables you to set the following grant control requirements:


2. Session controls – Session controls enable limiting experience within a cloud app. The session controls are enforced by cloud apps and rely on additional information provided by Azure Active Directory to the app about the session.


To learn more about security and compliance, review the Compliant Cloud Container and visit