All IAM glossary termsZero Trust · glossary
Conditional Access
Also known as: CA · Conditional Access Policy
Definition
Conditional Access is a policy framework that evaluates signals (user, device, location, risk, application) at sign-in time and decides whether to grant access, require additional verification, or block.
In more depth
Conditional Access is the operational language of modern IdPs (Microsoft Entra, Okta). Rules look like: "If user is signing in from an unmanaged device AND accessing a sensitive app AND risk score is medium, require MFA + step-up to phishing-resistant factor."
Mature Conditional Access programs ship policies as code (Terraform, Bicep), test in report-only mode before enforcement, and integrate device-posture + risk signals from XDR / SIEM.
Related terms
Deeper reading
Want the work, not just the definition?