Conditional Access

Status: Scaffold — content in progress

Conditional Access (CA) is Entra ID's policy engine that evaluates access requests using multiple signals before granting access. It is the primary enforcement mechanism for Zero Trust in Entra ID.

Signals → Decisions → Controls

Signals (WHO + WHAT + WHERE + WHEN + RISK)
    ↓
CA Policy Evaluation
    ↓
Controls (Allow / Block / Require MFA / Require compliant device / etc)

Key Signal Types

Signal	Examples
User / Group	Specific users, all users, guests
Cloud app	Microsoft 365, Salesforce, all apps
Location	Named location (IP ranges), trusted location
Device platform	iOS, Android, Windows
Device compliance	Intune compliant, Hybrid AD joined
Sign-in risk (Identity Protection)	Low / Medium / High
User risk	Leaked credentials, suspicious behavior

Grant Controls

Control	Description
Require MFA	User must perform MFA
Require compliant device	Device must be Intune-managed and compliant
Require hybrid AD join	Device must be domain-joined + registered
Block access	Full block
Require approved app	Must use Microsoft-approved client
Require app protection policy	MAM policy enforced

CA Bypass Techniques

Technique	How
Legacy auth	Use protocols that predate CA (IMAP, POP3, SMTP AUTH, Exchange legacy)
Trusted named location abuse	If attacker's IP is in a trusted IP range
Device compliance bypass	Enroll attacker device as compliant
Token theft	Steal a token that was issued after CA was satisfied — reuse it
Pass-the-PRT	Use a stolen Primary Refresh Token (includes device compliance signals)

Cross-Links

Topic	Link
Pass-the-PRT	pass-the-prt
MFA Fatigue	mfa-fatigue
Entra Overview	entra-overview

Signals → Decisions → Controls​

Key Signal Types​

Grant Controls​

CA Bypass Techniques​

Cross-Links​

Signals → Decisions → Controls

Key Signal Types

Grant Controls

CA Bypass Techniques

Cross-Links