'Top 10' Buyers Guides

Conditional Access Management: Everything You Need To Know

Conditional Access policies grant access depending on factors like location and device. How do conditional access policies work, and how your organization can implement them effectively.

Blog Profile
By Alex Zawalnyski Updated Jul 20, 2023
Twitter LinkedIn

Conditional Access is used to describe security and access policies that are dependent on specific factors. Rather than letting any user access a site or area, access will be prevented unless specific criteria are met.

Now, technically most digital accounts provide a degree of conditional access – if you don’t have the correct username and password, you are not granted access. That is the condition. When we talk about conditional access, however, we are referring to a more advanced and nuanced set of factors to allow or deny access.

How Do Conditional Access Policies Work?

Conditional access policies are built around configurable statements that decide how a solution should respond to a given scenario. These solutions ingest data, compare it with the policy statement, then respond accordingly. We tend to call these inputs signals. Common signals might include user, location, device, application, and risk. 

These factors will lead to a policy statement having a different outcome. For example, a policy statement may be “If account access is requested from a known device, then allow access”. This statement could be complimented by other, subsequent policies. “If account is requested from an unknown device, then validate identity through MFA before allowing or denying access”.

Other signals include:

Device

The most obvious device-based conditional access policy ensures that a login attempt is coming from a recognised or known device. If a login request comes from an unrecognized device, the solution may ask for another factor of authentication before granting access.

You can also customize policies to 

  • Require multi-factor authentication
  • Require device to be marked as compliant 
  • Require approved client app
  • Require app protection policy

Location

You may require that users only access services or data from specific geographical regions. This can be as broad as entire countries, or as specific as an IP address. You may only want to grant access whilst in the office (and therefore connected to the local IP) or prevent access when out of the country. Both these factors are possible through conditional access policies.

Time

This is often a useful means of indicating if an access request is from a valid user, or if an account has been compromised. Access solutions can create baseline profiles of normal behavior. If a login request is delivered at an unusual or abnormal time, access can be blocked.

Type of access request

It may be that a user is attempting to log into an area they do not usually access, or do not have authorization to. The user may be granted permission by contacting an administrator. Alternatively, they may have “read only” access that prevents them from editing or downloading and saving documents. 

Contextual risk factors

By using the unique baselines generated through user analysis and contextual awareness, access solutions can make a judgement as to whether granting user access will be a safe or risky decision. These solutions often assign users a risk score, which changes over time, and in response to a range of factors. 

These inputs can be assessed in isolation, or in conjunction with multiple signals. Admins will specify how a solution should respond, depending on each input. There are a range of responses available to admins to achieve several aims. Security can be prioritised through blocking access, while enforcing MFA can look to confirm a user’s identity. The most common response actions include:

  • Allow access
  • Require MFA
  • Limit access (to specific content, or to read only access)
  • Reset password
  • Monitor access

You may see some providers referring to precedence or conditional hierarchy, this is used to decide what outcome is most relevant when multiple access policies are in play. When there are overlapping policies with different outcomes, the most restrictive policy will be chosen. This means that data that needs to be kept secure is kept secure, while less restricted data will also be blocked.

In this scenario – of overlapping policies – security will be preserved, at the detriment to usability. Some actions that should be allowed, will actually be blocked. It is, then, important to make your access policies as specific and focused as possible. This will ensure that the most appropriate policy is active.

The hierarchy tends to put “deny” as the dominant action, followed by “allow access with MFA”, then “allow access without MFA” as least important.

What Are The Benefits Of Conditional Access?

  • Enhanced Security – Enforce robust and effective security policies to secure your accounts and users.
  • Improve User Experience – Intelligent analysis only requires additional identity confirmation when necessary, rather than by default. This reduces the burden on the user, making their experience smoother.
  • Increased Flexibility – Ensure that the correct users are granted secure access from any location or device (if your policies permit).

What To Look For In A Conditional Access Solution

While you always want to have a good deal of flexibility and configuration with any cybersecurity solution, conditional access is an area where it helps to have pre-sets. Conditional access can be very complicated to implement in practice – there are so many variables to be aware of and to consider. 

To ensure that your solution is usable and effective, it is best to look for a solution with a user-friendly policy builder. This will give you a clear dropdown menu with elements that can be customized. Admins can then select a conditional factor and select the desired response. 

Microsoft Azure is one such solution. When building a conditional policy, Azure provides a clear menu of possibilities. Admin can easily select the correct response – in this case to “Require MFA” – in response to a specific factor. This simple design and UI makes it easy for admins to implement advanced and effective security controls. 

That being said, organizations decide to use a conditional access solution because it gives them additional control over access and security. If a solution does not provide enough flexibility, it will be ineffective. 

Before committing to a conditional access solution, it is worth considering the factors that you want to manage access, and checking the solutions that offer this capability.

Who Are The Top Conditional Access Vendors?

When looking at identity and access management solutions, it can be difficult to work out which solutions offer conditional access policies, and how much flexibility admins have to adapt these policies. In this section, we’ll cover some of the top solutions with customizable conditional access policies to give you an idea of what’s on offer.

Microsoft Azure Active Directory
Azure Logo
Azure is Microsoft’s enterprise identity management solution that provides single sign-on, multifactor authentication, and conditional access policies. The platform secures access to your services and network areas, while providing adaptive, risk-based access in a streamlined manner. The platform provides a single control plane to grant you full visibility across your environment and identities. This solution makes it easy to configure and assign access policies, with a broad range of policy options. Azure AD provides a good range of conditional access policies (including user and location, device, application, and real-time risk) and a versatile offering of responses (including allowing access, requiring MFA, limit access, monitoring access, or resetting passwords). Integrating your existing services is easy, allowing for comprehensive Azure coverage. Microsoft provide a helpful customer support team that can ensure you can implement and configure the solution as you need. We would recommend Microsoft’s Azure Active Directory for organizations of all sizes looking for a user-friendly and effective conditional access management tool. Azure is particularly well suited to organizations already working within the Microsoft ecosystem.

JumpCloud
JumpCloud Logo
JumpCloud is an open directory platform that provides secure and streamlined access to resources from any device, anywhere. The platform allows admins to deliver directory services, SSO, and MFA, as well as IAM and PAM services with conditional access policy configuration. JumpCloud will effectively manage identities, ensuring that they are kept up-to-date and aligned across all connected entities. By streamlining this process, identity sprawl (and related costs) is reduced, thereby making management simpler and more effective. This reduces that opportunities for attackers to capitalize on oversight. Conditional access policies can be configured in the JumpCloud admin portal. From here, admin can view and modify the status of access policies, ensuring that they are relevant and appropriate for their organization. Enforcing adaptive and robust conditional access policies like this, can help your organization work towards SOC, HIPAA, GDPR, and PCI compliance. JumpCloud gives admins granular control to tailor how access polices are constructed, meaning they can adapt them for specific locations and requirements. We would recommend JumpCloud for organizations across all sectors, looking for an easy-to-use, flexible, and secure identity and access management solution.

Okta
Okta Logo
Okta is a leading identity provider, currently working with over 10,000 organizations worldwide. The Okta Identity Cloud allows organizations to connect technologies and people, balancing ease of use and security. The platform has over 7,000 pre-built integrations with third-party applications and infrastructure providers. Okta uses the term Attribute Based Access Control (ABAC) and Dynamic Authentication Context to describe its conditional access policies. Admins can implement Dynamic Authentication Context on your SAML apps through relatively simple code changes – information on this can be found on Okta’s website. This is more complicated to implement than some other solutions, though for admins with coding experience it should not be a challenge. The platform can integrate with EMM and EDR solutions to make advanced and intelligent access decisions. This adaptive response not only ensures that security is maintained, but that it is used appropriately, rather than deploying security checks indiscriminately. We would recommend Okta for organizations looking to imbed robust identity and access protocols at the heart of their organization and services. The platform offers a good deal of control but is more complicated to run because of that. We would recommend Okta for medium to larger organizations with experience and the resource to maximise the benefits.

SentinelOne Singularity Identity
SentinelOne Logo
Based in Mountain View, CA, SentinelOne’s platform provides advanced and autonomous cybersecurity across endpoints, cloud, identities, and even XDR capabilities. SentinelOne utilize AI to deliver a comprehensive and effective threat detection, response, and remediation solution. Singularity Identity is SentinelOne’s solution to prevent AD attack and secure identities. Singularity Identity offers a range of robust and advanced security factors to effectively secure your perimeter. These features include deep packet inspection, abnormal behavior identification, and suspicious activity analysis. The platform can even misdirect attackers away from critical workloads, towards dead-end alleys with lures and fake information. SentinelOne’s platform is reliable and effective. It provides a comprehensive level of threat response, allowing you to effectively reduce network vulnerabilities. The platform allows organizations to meet NIST/CMMC compliance requirements without significant effort. We would recommend SentinelOne for SMBs to enterprise organizations needing an effective and versatile identity security solution.

Conclusion

Conditional access policies are a highly effective means of tightening security infrastructure, without investing in further tools, or asking your employees to drastically change their behavior. Through implementing precise and accurate conditional access policies, you tailor the security and user experience depending on specific circumstances – this ensures that when risks are low, users can carry on unimpeded. However, when there is an anomaly, or another reason to be cautious, the platform will ramp up security.

While conditional access has the potential to be complicated and advanced, many of today’s access management solutions simplify the process, allowing organizations of all types and experience levels to implement this type of security.

Alex Zawalnyski

Copy Manager

As Copy Manager with Expert Insights, Alex writes and edits articles relating to cyber security and technology solutions to ensure they are clear, authoritative, and informative. Alex was awarded a First Class MA (Hons) in English and Scottish Literature by the University of Edinburgh.

Now Read

Securing The Cloud: The Top Cloud Risks For Business, And How To Avoid Them

5 Features To Look For In An MFA Solution For Office 365

“Identity Is The Only Perimeter” How We Can Secure Our Digital Identities