Conditional Access

August 9, 2023 by
Mark Nash

For about as long as passwords have been around, they've been a source of security concern (which is ironic since they were created to improve security). Eighty-one percent of security incidents happen due to stolen or weak passwords. Unfortunately, some employees continue to neglect good cybersecurity practices, with 61% of workers using the same password for multiple platforms and 43% having shared their passwords with others. Factors like these are why compromised credentials are the leading cause of data breaches and why access and identity management have become a priority for many organizations. Once a cybercriminal gets a hold of an employee's login, they can access the account and any data that it contains. This is especially problematic when it's an account that can access things like cloud storage and user email. One method that cybersecurity technicians are using to help protect users' accounts is through conditional access.

What Is Conditional Access?

Conditional access, also known as contextual access, is a method of controlling users' permissions to access data based on factors outside of login credentials. You can think of it as several "if/then" statements, meaning "if" this thing is present, "then" do this. For example, conditional access allows you to set a rule stating the following. "If a user is logging in from outside the country, require a one-time passcode." Conditional access allows you to add many conditions to the process of gaining access to a system, such as its most popular pairing, MFA. This is to improve access security without unnecessarily inconveniencing users. Some of the most common contextual factors used include:

  • IP address
  • Geographic location
  • Time of day
  • The device used
  • Role or group the user belongs to

Conditional access can be set up in Azure Active Directory or another identity and access management tool.

The Benefits of Implementing Conditional Access for Identity Management

Improves Security

Using conditional access improves security by allowing you more flexibility in challenging user legitimacy. It doesn't just grant access to anyone with a username and password; the user also needs to meet specific requirements. Contextual access could block any login attempts from countries where no employees are or present an additional verification question when employees use an unrecognized device.

Automates the Access Management Process

Once the if/then statements are set up, the system takes over and automates the monitoring of contextual factors and takes the appropriate actions. This reduces the burden on administrative IT teams and helps ensure that no one is falling between the cracks. When set up properly, automated processes are more accurate and reliable than manual processes as they remove the chance for human error, ensuring that each condition is verified for every login attempt.

Allows Restriction of Certain Activities

Conditional access can be used for more than just keeping unauthorized users out of your accounts; it can also be used to restrict the actions and activities that legitimate users can perform. For example, you could restrict access to data or settings based on a user's role in the system. You can also use conditions in combination, such as lowering permissions to view-only if a user holds a certain role and is logging in from an unknown device.

Improves the User Login Experience

Studies show that 67% of businesses don't use multi-factor authentication, despite the fact that it's one of the most effective methods to stop credential breaches. One of the biggest reasons it is not used is because of the inconvenience factor for employees. They may complain that it interferes with productivity or makes it harder for them to use their business applications. Conditional access in conjunction with MFA can remedy many of these issues. For example, you can require MFA only if users are off the premises.

Enforces the Rule of Least Privilege

Using the rule of least privilege is a security best practice. It means only granting users the lowest level of access to a system as needed to do their work. Once you have roles set up in your identity management system, you can base access on those roles. Conditional access simplifies the process of restricting access to data or functions and streamlines identity management because it contains all functions in the same system for access and MFA rules, simplifying management.