← All terms
Conditional Access

What is Conditional Access?

Conditional access is a policy engine that decides whether to allow, block, or step up a sign-in based on context like user, device, location, and risk.

Last updated: 13 July 2026

How conditional access works

Conditional access policies follow an if-then structure evaluated at sign-in: if a set of conditions is met, then apply a defined control. Conditions typically include the user or group, the application being accessed, the device and its compliance state, IP range or network, country, and time of day. Controls range from allowing access silently, to requiring multi-factor authentication, to blocking the attempt outright.

A typical policy set might allow single-factor sign-in from managed devices on the corporate network, require MFA from anywhere else, and block access entirely from countries where the organization has no presence.

Modern engines also consume risk signals — a new device, an unfamiliar location, or an improbable travel pattern — and can escalate requirements dynamically, so friction appears only when context is unusual.

Why conditional access matters

Static rules treat every sign-in the same, which forces a bad trade-off: either constant friction for everyone or weak protection for risky situations. Conditional access resolves this by matching the strength of verification to the risk of the context, keeping everyday work smooth while hardening the unusual cases attackers exploit.

It is also the primary enforcement mechanism of a zero trust architecture. Principles like verify explicitly are abstract until a policy engine actually evaluates device, location, and risk on every request — conditional access is where that evaluation happens.

For compliance, policies provide demonstrable, centrally managed access controls, and their evaluation logs show auditors exactly which conditions were checked before access to sensitive systems was granted.

Designing conditional access policies

Start with a small set of broad, high-value policies rather than dozens of narrow ones: require MFA for all users, block legacy authentication protocols that bypass modern controls, and restrict access to administrative interfaces to trusted networks or compliant devices. Test each policy in a report-only or pilot mode before enforcing it, because a misconfigured rule can lock out an entire workforce.

Always maintain break-glass accounts excluded from policies, protected by strong dedicated credentials, for recovery if the policy engine or MFA infrastructure fails. Review policies periodically — organizational changes quietly invalidate assumptions about networks, groups, and geographies.

Monosign provides conditional access policies based on IP, device, country, time, and group membership, with risk-based step-up verification.

Frequently asked questions

What is the difference between conditional access and MFA?
MFA is a verification method — proving identity with a second factor. Conditional access is the decision layer that determines when MFA is required, when access is allowed without it, and when it is blocked entirely. Conditional access typically uses MFA as one of its enforcement controls.
Can conditional access block sign-ins from specific countries?
Yes. Geographic conditions are a common policy element: organizations block or require additional verification for sign-ins from countries where they have no users. Determined attackers can evade this with VPNs, so geo-blocking works best combined with device and risk signals rather than alone.