Azure Active Directory Conditional Access

Azure Active Directory (AAD) conditional access lets organizations add additional checks to application logins to help prevent access by compromised users and devices. However, organizations should not deploy AAD conditional access unless they have licensed users with the entire Enterprise Mobility + Security suite, or they might violate license terms.

Conditional Access Internals

Organizations implement conditional access to ensure integrity of the devices and users that are connecting to their applications. For example, conditional access might prevent users from logging in until the device they are using has met certain security parameters, or they are only able to access through applications that the organization has approved. The organization might also require multifactor authentication, which can help ensure that the user’s credentials have not been compromised.

AAD conditional access is an extension of AAD that can require users and their devices to pass additional security checks before they can sign in to an application using AAD credentials. The steps occur when a user requests access to these applications, effectively as a step during the authentication process. Applications protected can include Office 365 services (such as Exchange Online), but also third-party applications (such as Salesforce) that the organization has integrated with its tenancy of AAD.