Conditional access is a security mechanism that assesses per sign-in attempt whether it is allowed, blocked or requires extra verification — based on who is signing in, from which device, from which location and with what risk. It is the policy brain behind signing in to Microsoft 365 (Entra ID).
Conditional access in practice
Where MFA is one extra lock, conditional access is the policy that decides when which lock applies. Examples: signing in from a managed device in the Netherlands is simply allowed; signing in from an unknown country is blocked; access to the accounting system always requires MFA. This makes security stricter where the risk is higher, without employees running into it every day.
For SMB organisations on Microsoft 365 Business Premium, conditional access is included in the licence; it is mainly a matter of configuration. That is a core part of Microsoft 365 management and of the measures in the NIS2 checklist.
Related terms
- MFA — MFA (multi-factor authentication) is signing in with a second proof alongside your password — usually an approval or code in an app on your phone.
- SSO — SSO (single sign-on) means employees sign in once — usually with their Microsoft or Google account — and automatically gain access to all connected applications.
- Tenant — A tenant is your own, isolated environment within a cloud service such as Microsoft 365 or Google Workspace: all your organisation's users, mailboxes, files, settings and security rules together.