IT Hub

How Conditional Access Prevents Unauthorized Logins

Reco Security Experts
June 19, 2024
June 19, 2024

Preventing Unauthorized Logins with Conditional Access in Microsoft Entra

In today's digital age, where information is the new currency, protecting sensitive data is important. With the increasing frequency and sophistication of cyber threats, organizations must adopt robust security measures to protect their assets. One such measure gaining traction is conditional access, a proactive approach to authentication that increases cybersecurity by preventing unauthorized logins. This article delves into the concept of conditional access, its significance against cyber threats, and its implementation across various sectors.

Building Your Policy

A conditional access policy is an if-then statement of assignments and access controls. A conditional access policy brings signals together to make decisions and enforce organizational policies.

How does an organization create these policies? What is required? How are they applied?

The diagram above shows how conditional access policy works perfectly from the signal to decision to enforcement.

Understanding Conditional Access

Conditional access refers to the practice of imposing specific conditions or criteria that users must meet to gain access to a network, system, or application. Unlike traditional username-password authentication, which relies solely on what the user knows, conditional access adds an extra layer of security by considering factors such as device health, user location, time of access, and behavioral patterns.

Conditional access policies in Entra ID can use a wide variety of signals from different sources to determine which policy it should enforce. These signals include the following:

  • User, Group membership, or Role (privileged roles)
  • Device state – Based on (non)compliant devices, device platform
  • Location – Trusted IP Ranges or based on countries/regions
  • Application – Filter policies on specific applications or browsers
  • User risk – Enforce policy based on user risk level
  • Sign-In Risk – Based on real-time and calculated risk detection

These signals can be used in a policy to decide if the user is granted access or if additional authentication is required. 

We have the following options when it comes to access control:

  • Block access
  • Grant access
    • Require MFA – This means that the user must complete an MFA request to access the resource. You can set the authentication strength (SMS, Passwordless MFA, or Phishing-resistant MFA)
    • Require the device to be compliant
    • Require Microsoft Entra hybrid joined device
    • Require an app protection policy
    • Require password change – Use must change password. Works only in combination with MFA

The image above shows how this conditional access policy blocks access from all countries except the named locations.

Named Locations

One of the components that you will need to use when creating a policy is the Named Locations. These are either Countries or IP Ranges that you can use as a condition in your policy.

A common policy is to block access to your Microsoft 365 from all countries except from the countries where your users work. To create this policy, you can define the countries in your Named Locations.

Another option is to add the public IP addresses from your offices to your named locations. This allows you to reduce the sign-in frequency, for example, from these locations:

You can add a Named Location in Microsoft Entra as follows:

  1. Open Microsoft Entra and go to Conditional Access under Protection
  2. Choose Named Locations
  3. Click on + Countries Location
  4. Give your locations a name
  5. Select the countries that you want to add to the list
  6. Click on Create

Key Components of Conditional Access Policy

1. Multi-Factor Authentication (MFA): MFA requires users to provide multiple forms of verification before granting access. This could include something they know (e.g., password), something they have (e.g., smartphone for receiving a code), or something they are (e.g., biometric data like fingerprint or facial recognition).

2. Risk-Based Authentication: This approach evaluates the risk associated with each login attempt based on factors such as the Device used, the user's behavior patterns, and the location from which the login is initiated. High-risk login attempts may trigger additional authentication steps or even block access altogether.

3. Device Compliance Checks: Conditional access verifies the compliance status of devices attempting to connect to the network. This ensures that only devices that meet specified security standards, such as having up-to-date software patches and antivirus protection, are allowed access.

4. User and Entity Behavior Analytics (UEBA): UEBA monitors and analyzes user behavior to identify suspicious activities or deviations from normal patterns. By detecting anomalies in real-time, organizations can promptly respond to potential security threats.

Benefits of Conditional Access Policy

  • Enhanced Security: By integrating multiple authentication factors and risk assessments, conditional access significantly reduces the risk of unauthorized access. This proactive approach helps thwart various cyber threats, including phishing attacks, credential theft, and brute-force attacks.
  • Granular Control: Conditional access allows organizations to define specific access policies based on user roles, location, and device type. This granular control ensures that users only have access to the resources necessary for their roles, minimizing the risk of unauthorized data exposure.
  • Improved User Experience: While conditional access adds an extra layer of security, it does so without compromising user experience. By dynamically adjusting authentication requirements based on risk levels, legitimate users can enjoy seamless access to resources without unnecessary authentication hurdles.
  • Compliance Adherence: Many regulatory frameworks, such as GDPR and HIPAA, require organizations to implement robust security measures to protect sensitive data. Conditional access helps organizations meet compliance requirements by enforcing stringent access controls and auditing capabilities.

Implementing Conditional Access Policy

1. Assessing Security Needs: Before implementing conditional access, organizations must assess their security needs and identify the resources that require protection. This involves conducting a risk assessment to determine potential threats and vulnerabilities.

2. Defining Access Policies: Once security requirements are identified, organizations can define access policies based on factors such as user roles, device types, and geographic locations. These policies should strike a balance between security and usability, ensuring that legitimate users can access resources without undue friction.

3. Selecting the Right Tools: Several cybersecurity vendors offer conditional access solutions that integrate seamlessly with existing identity and access management (IAM) systems. Organizations should carefully evaluate these solutions based on their scalability, compatibility, and effectiveness in mitigating modern cyber threats.

4. User Education and Awareness: Despite the robust security measures in place, human error remains a significant risk factor in cybersecurity. Therefore, organizations must educate users about the importance of security best practices, such as avoiding password sharing, recognizing phishing attempts, and reporting suspicious activities.

Case Studies

Financial Services Sector

Banks and financial institutions are prime targets for cybercriminals due to the valuable data they possess. By implementing conditional access, these organizations can protect customer accounts and financial transactions from unauthorized access, ensuring regulatory compliance and maintaining customer trust.

Healthcare Industry

With the proliferation of electronic health records (EHRs) and telemedicine platforms, healthcare providers face growing cybersecurity challenges. Conditional access helps healthcare organizations safeguard patient data by controlling access to sensitive medical records and ensuring that only authorized personnel can view or modify patient information.

Enterprise Environments

Large enterprises with a diverse workforce and extensive IT infrastructure can benefit greatly from conditional access. By implementing adaptive access policies based on user roles, departments, and geographic locations, these organizations can mitigate the risk of insider threats and external cyber-attacks.


In an era marked by escalating cyber threats, conditional access emerges as a potent weapon. By incorporating multiple authentication factors, risk assessments, and access controls, organizations can fortify their defenses against unauthorized logins and data breaches. As cybercriminals continue to evolve their tactics, adopting a proactive approach to authentication becomes imperative for protecting sensitive information and preserving trust in the digital ecosystem. Conditional access represents not only a technological advancement but also a paradigm shift in cybersecurity, one that prioritizes prevention over remediation and resilience over vulnerability.

Explore More
See more articles from our Hub