Examples of Conditional Access Policies

Written by Kate Lake on May 2, 2022

Share This Article

Think back to the last fraudulent call or email that made it past your spam filter. How could you tell it was fake? Maybe they called at a weird hour, or the name in the email address didn’t match the signature, or you didn’t recognize the area code. Or maybe your car doesn’t actually have an extended warranty. 

Whatever the reason, your spam filter didn’t catch the fraud, but you did. Why?

Humans are great at picking up on contextual clues. Computers don’t do so on their own; they have to be programmed to recognize them.

That’s how conditional access policies work. They use a set of contextual clues — like what times of day and locations are considered “normal,” for example — to apply the appropriate amount of contextual security to a login attempt. This means more security for suspicious attempts, and less friction for typical and expected ones. Essentially, conditional access automates the human intuition that enables you to spot suspicious activity and applies it to the authentication process.

Let’s dive deeper into how they work and explore some of the most common examples and use cases of conditional access policies. 

How Conditional Access Policies Work 

Conditional access policies use contextual information to apply the most appropriate level of security to a login attempt. Typically, conditional access policies increase security measures for suspicious or irregular login attempts and decrease security measures for routine and trustworthy login attempts. This makes conditional access essential for striking a balance between security and the user experience: it reduces friction where it’s safe to do so and boosts security with intelligently applied policies.

The Zero Trust security model, which assumes that all devices, users, networks, and resources are untrustworthy until verified, underlines all conditional access policies. Users and groups are thus required to verify their identities by meeting specific conditions over and above their credentials that grant access. 

What Are Some Examples of Conditional Access Policies?

In their simplest form, conditional access policies consist of an if/then statement in the format:

If Condition A is met, then complete Action A, else Action B.

Let’s explore some of the conditions and actions that appear in conditional access policies to form a blueprint for how they’re commonly built.

Common Conditions

Conditional access policies can check a login attempt against several conditions. These conditions are flexible and have a wide range of options; the following are common conditions for examining the security of a login attempt.

  • Correct username and password input. While no longer the most secure form of authentication, passwords can be the first step in an MFA-based login.
  • Location of login. 
  • Login is from a device associated with the user.
  • Distance and time between last login. If a user logged in an hour ago from halfway across the world, this login attempt would be suspicious.
  • Device complies with company standards.
  • Network compliance with company standards.
  • Time of login. Some organizations may not allow logins after business hours.

Common Actions 

The actions in conditional access policies specify how to proceed based on the conditions above. Actions typically either improve or reduce security measures, based on the security of the login attempt conditions. Some of the most common actions include:

Conditional Access Policy Examples

By combining conditions and actions in the if/then/else template above, you can create policies like: 

  • If employees log in with a device that’s assigned to them and on a company-compliant network, then they may bypass MFA.
  • If employees log in with a device that’s assigned to them and not on a compliant network, then they must complete an MFA challenge.

Note that you can apply policies to some groups and not others. For example, an organization might choose to never apply a policy that bypasses MFA to users in its super admin group.

Common Conditional Access Use Cases

In general, conditional access policies deliver simultaneous security and usability wins. More specifically, companies use them to uphold certain security and usability standards, including: 

  • Prohibiting unapproved devices from accessing resources.
  • Preventing employees from accessing resources from untrustworthy networks, like public Wi-Fi.
  • Improving the user experience by reducing friction in predictable and secure environments. This can include home Wi-Fi networks for a better remote work experience.
  • Securely streamlining the experience for specific users and groups, like executives who require resource access via their phone. 

JumpCloud’s Revolutionary Approach to Conditional Access 

JumpCloud empowers IT admins to implement conditional access policies with the flexibility to choose from a wide range of conditions and actions. This allows admins to create a holistic security policy by combining trust elements. 

JumpCloud can also automatically apply certain policies to ensure security: for example, if more than one policy is applied to certain users and groups, JumpCloud will automatically enforce the strictest ones. Admins can also configure a global policy that’s enforced in the event that no policy applies to a user. This is an essential tool to ensure baseline security coverage for the organization by default. 

These conditional access policies can be enforced through all IT environments regardless of what client apps, operating system, or vendor they use. And it’s all managed through JumpCloud’s cloud directory platform, keeping identity, device, network, and conditional access policy management all in one place. 

Intrigued? Try JumpCloud today! With JumpCloud Free, you can evaluate our full platform for 10 users and 10 devices with access to all Premium features. You also get 10 days of Premium 24×7 support to help you extract the most value from the platform.

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter