Describe the Purpose and Value of Conditional Access

Conditional Access is an Entra ID feature that helps enforce company access policies. For instance, a company policy may require end users to sign in only from specific geographic or network locations. Conditional Access can be configured so that when an end user is within that location boundary, access is granted. Otherwise, access is blocked. Core Conditional Access features are available as part of Azure AD Premium P1 (or Entra ID Premium P1). Entra ID Premium P1 is also included as part of Enterprise + Mobility and Security (EMS) E3.

With AAD Premium 2 (also included as part of EMS E5), organizations can enforce risk-based sign-in policies for MFA, as well as use leaked-credential detection to determine whether compromised user credentials are available on the dark web. Administrators can set up PIM workflows as well to help manage a least-privileged access model.

Summary

As you’ve seen, there is a multitude of configuration options available to help organizations of all sizes meet their identity, authentication, and security needs.

In this chapter, you have learned the differences between cloud, synchronized, and federated identity, as well as the security controls available with EMS and Azure AD premium, such as Conditional Access and access reviews. You learned which identity model can be used to help meet specific requirements—for example, if your organization needs on-premises identity authentication to comply with your security needs, you now know that you should choose between pass-through authentication and federated identity.

You also learned about some of the commonly implemented features of the Microsoft 365 platform, including SSPR and multi-factor authentication.

In the next chapter, you’re going to look at technologies that enable endpoint security control and management.