September 8, 2025
Zero Trust Identity: Conditional Access
Module 3 focuses on advanced Zero Trust Identity. It reviews the concept of Conditional Access to enforce "if/then" privilege through stipulations like network location, device compliance, and Identity Governance. Entra Conditional Access provides the core concepts of Assume Breach of core Zero Trust.
At its heart, Conditional Access operates on a powerful "If-Then" framework. It evaluates a set of signals (the "Ifs") and, based on those signals, enforces a specific action (the "Then").
The "Ifs" (Conditions): These are the signals that policies evaluate to decide if access should be granted or restricted. Our content highlighted several key signals:
User Identity: Is the user part of a specific group, like a team of administrators?
Location: Is the user attempting to sign in from a trusted network, like the corporate office, or from an untrusted location, like an unknown country?
Device State: Is the device compliant with your organization's security policies (e.g., encrypted, running the latest antivirus)?
Application: Which application is the user trying to access? Is it a sensitive one, like the payroll or customer relationship management (CRM) system?
Sign-in Risk: Is there a detected risk associated with this sign-in attempt, such as a sign-in from an unusual location?
The "Thens" (Access Controls): These are the actions that are enforced when the conditions are met. Our content emphasized several powerful controls:
Grant Access: Allow the user to proceed, often with an added requirement. For example, "Grant access, but require multi-factor authentication (MFA)."
Block Access: Immediately deny the sign-in attempt. This is typically used for high-risk scenarios, like blocking sign-ins from non-compliant devices.
Require Compliant Device: Force the user to use a device that is enrolled in and managed by a solution like Microsoft Intune.
Require Password Change: A common action in response to a detected user risk.