Building a Conditional Access Policy
Start course

This course covers conditional access policies in Azure. You’ll learn what Conditional Access is, why you use it, and what it offers. We’ll then explore how to build a Conditional Access policy, and you'll see a demonstration of how to create a conditional access policy.

Learning Objectives

  • Understand the fundamentals of conditional access policies
  • Learn how to build a conditional access policy

Intended Audience

This course is intended for anyone who wishes to learn about conditional access policies.


To get the most out of this course, you should already have some experience with Azure AD.


Welcome to building a conditional access policy. When you build a conditional access policy, what you are really doing is building an if-then statement that consists of Assignments and Access controls. The policy that you build will look at the assignments and access controls that you’ve defined and make decisions based on them. This, in turn, enforces organizational policies.

Conditional access policies are applied in two phases: Session Details Collection and Enforcement. 

In the first phase, session details are collected. For example, things like network location and device identity are collected, since this information is required for policy evaluation. This first phase of policy evaluation occurs for all enabled policies and for policies that are in report-only mode.

Once session details are collected, phase two performs enforcement of the policy, or policies.

Session details that were collected in phase 1 are used to identify requirements that have not been met. If a policy has been configured to block access, via the block grant control, enforcement stops, and the user is blocked from whatever is being protected with the policy. In the remaining scenarios, the user is prompted to complete any additional grant control requirements that have been defined but not satisfied during the first phase. This occurs in the order you see on your screen:

  • Multi-factor authentication

  • Approved client app/app protection policy

  • Managed device (compliant or hybrid Azure AD join)

  • Terms of use

  • Custom controls

Once all defined grant controls are met, session controls like App Enforced controls, Microsoft Cloud App Security, and token Lifetime, are applied.

This second phase of policy evaluation happens for all enabled policies. 

I should mention that multiple Conditional Access policies can apply to a user at a time. In these scenarios, all policies that apply have to be satisfied. This means that if one policy requires MFA, and another requires a hybrid Azure AD-joined device, the user would have to complete MFA, and be using a hybrid Azure AD-joined device. In other words, all assignments are logically ANDed, so if more than one assignment is configured, all assignments must be satisfied to trigger the policy.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.