What Conditional Access Does
Conditional Access policies define conditions (signals) and actions (controls). Signals include user or group membership, application being accessed, geographic location, device state, and detected risk levels. Controls can range from requiring multi-factor authentication (MFA) to blocking access entirely or enforcing compliant device requirements. The policy authoring model allows for granular control and customisation to address specific organisational needs and risk profiles. These policies are centrally managed within Microsoft Entra ID.
Conditional Access in Australian Tenants Today
For AU mid-market organisations, a baseline Conditional Access configuration is essential. This typically includes requiring MFA for all users and blocking legacy authentication protocols, directly addressing ACSC Essential Eight Maturity Level 1+ requirements. APRA CPS 234 and CPS 230 also highlight the importance of robust access controls. Consider leveraging Microsoft’s recommended starter policies as a foundation, tailoring them to your specific risk assessment and compliance obligations under the Privacy Act 2024 and the Notifiable Data Breach scheme. Alignment with the Australian Voluntary AI Safety Standard is also increasingly relevant for AI-powered access decisions.