L6. Conditional Access: Policies, Named Locations and Risk

Conditional Access Architecture

Conditional Access (CA) is the policy engine at the heart of Entra ID zero trust. Every sign-in is evaluated against your policies, and access is granted, denied, or requires additional verification based on the conditions you define.

A CA policy has two main components:

• Assignments: WHO is signing in, to WHAT application, under WHICH conditions
• Access controls: WHAT must happen (grant controls) and HOW the session behaves (session controls)

Assignments

Users and Groups

You can include or exclude specific users, groups, directory roles, or guest/external users. Common patterns:

• Include: All users. Exclude: break-glass accounts
• Include: A specific group. Exclude: none

Cloud Apps or Actions

Target specific applications, all cloud apps, or user actions (like registering security info or registering/joining devices).

Conditions

• Sign-in risk: Requires Entra ID Protection (P2). Levels: None, Low, Medium, High
• User risk: Requires Entra ID Protection (P2). Levels: None, Low, Medium, High
• Device platforms: iOS, Android, Windows, macOS, Linux
• Locations: Named locations (IP ranges, countries)
• Client apps: Browser, mobile apps, desktop clients, legacy auth clients
• Device state/filter: Target managed or compliant devices

Access Controls

Grant Controls

• Block access: Deny sign-in entirely
• Grant access with requirements: MFA, compliant device, hybrid-joined device, approved app, app protection policy, password change, custom authentication strength

Session Controls

• Sign-in frequency (how often to re-authenticate)
• Persistent browser session
• Conditional Access App Control (proxy through Defender for Cloud Apps)
• Customize token lifetime (continuous access evaluation)

Exam tip: When multiple grant controls are selected, you choose "Require all" or "Require one of." For maximum security, use "Require all." Most exam scenarios test the "Require all" pattern with MFA + compliant device.

Named Locations

Named locations define trusted or known IP ranges and countries:

• IP ranges: Define corporate network CIDR ranges and mark them as trusted
• Countries: Select countries based on IP geolocation

Named locations are referenced in CA policy conditions to differentiate corporate network sign-ins from external sign-ins. Exam tip: Marking a location as "trusted" does not automatically grant access. It allows you to create policies that behave differently for trusted vs. untrusted locations (e.g., skip MFA on the corporate network).

What If Tool

The What If tool simulates CA policy evaluation for a specific user and scenario. It shows which policies would apply and which would not, along with the reasons. This is the primary troubleshooting tool for CA issues.

Navigate to: Entra admin center > Protection > Conditional Access > What If

Policy Evaluation Order

All CA policies are evaluated simultaneously (not sequentially). If any applicable policy blocks access, access is blocked regardless of other policies. Grant controls from all applicable policies are combined. Exam tip: Block always wins. If one policy grants access with MFA and another blocks access for the same scenario, access is blocked.