What Is Conditional Access?

Written by Kelsey Kinzer on December 8, 2021

Share This Article

After almost two years of majority remote work, the world may start to see offices start to reopen in 2022. But as the world opens back up, remote and hybrid-remote models will likely remain popular: earlier this year, 70% of companies said they would offer a remote work option indefinitely, even post-pandemic. 

The distributed infrastructure that powers hybrid and remote work can face increased security risk when not properly protected. Seemingly in conflict with this need for high-security environments, the Great Resignation has put tremendous pressure on employers to provide seamless, intuitive, and competitively positive user experiences. Organizations need to find a way to deliver secure environments without compromising on user experience, and vice versa.

Conditional access bridges this gap: it improves both the user experience and security simultaneously. The more intelligent alternative to the traditional sign-in process, conditional access contextualizes login attempts, allowing the system to make a more informed decision to grant, challenge, or deny access.

This means an easier login process for users in secure environments and a more challenging process (or outright access denial) in less secure environments. The result keeps the authentication and authorization process secure without putting undue burden on the user. Read on to learn how conditional access works, example use cases, and how it benefits organizations, admins, and users.

How Does Conditional Access Work?

Conditional access requires users to meet specific conditions before they’re granted access to company resources. It works by evaluating login attempts against conditions an IT admin specifies. Typically, the less secure the login conditions, the more rigorous the verification parameters. The result is an added layer of real-time protection that automatically blocks access to users, devices, and networks that don’t meet the pre-defined conditions for secure access.

Usually, users can either be required to meet all specified conditions, or at least one of several specified conditions. Examples of popular conditions include:

  • User group (e.g., belongs to Admin User Group)
  • Managed device (e.g., company-managed device like laptop or desktop)
  • IP address (e.g., use of whitelisted IP address or VPN)
  • Geolocation of login attempt (e.g., trusted locations or international login attempts)

Conditional access policies follow a rough “if, then” format. For example, an IT admin could set up the following conditions:

  • If a known user tries to log in from a compliant device and whitelisted IP address, then they may bypass the multi-factor authentication (MFA) challenge.
  • If a known user tries to log in from an unmanaged device but from a whitelisted IP address, then they must complete an MFA challenge. 
  • If a known user tries to log in remotely and without a VPN, then they will be denied access altogether. 

Why Should IT Admins Care About Conditional Access?

It’s a Cornerstone of Zero Trust Security

Conditional access’s ability to securely verify login attempts makes it a crucial component of Zero Trust security. Zero Trust security is a model that assumes that all users, devices, and networks are untrusted until they are verified securely and reliably.

It was developed in response to the traditional perimeter security model’s inability to sufficiently protect against threats in remote and hybrid-remote environments. While baseline security best practices like password complexity and device security are still a must, they no longer offer sufficient protection on their own; only a Zero Trust model that’s predicated on the concept of “trust nothing, verify everything” can provide adequate protection. 

Zero Trust’s call for reliable verification is often fulfilled by requiring MFA everywhere. Conditional access takes this a step further by accounting for contextual signals around the user, device, and network to assess the security of the login environment. It then uses this information to automatically create a login experience whose security challenges match the environment’s level of security. 

It Improves the User Experience

Most businesses now understand the importance of MFA to the login process, and more than 80% of organizations use it in at least some instances. However, MFA everywhere can become cumbersome to the user, and could even prompt users to try to bypass or turn off MFA requirements.

Conditional access removes the need for an MFA challenge at every login juncture, instead only requiring it where needed. This streamlines the user experience, getting employees to the resources they need faster and more easily. As the user experience becomes a key differentiator for employers and a significant contributing factor to retention rates, removing friction anywhere it can be found is essential. 

It Improves the Admin Experience

Conditional access lightens the IT admin’s load through automation and reliable security. With conditional access policies in place, IT admins can trust that they’ve sufficiently secured the login process without requiring additional work on their end. Additionally, removing the requirement for MFA everywhere reduces the frequency of user login errors, which helps cut down on help desk tickets.

Conditional access’s ability to specify access parameters also helps IT admins automate an element of compliance. IT admins could, for example, set conditional access policies that guarantee only members of a certain user group can access certain items — like only allowing doctors to access patient records. 

The JumpCloud Conditional Access Advantage

JumpCloud® is a cloud directory platform that includes MFA, single sign-on (SSO), and conditional access. Its conditional access policies can verify trust by identity, network, device, and location. Policies are flexible and intuitive: they can automatically enforce the strictest policy when more than one applies, enforce a Global Policy when no policy applies, and bypass “Excluded User Groups.” Devices are verified via a JumpCloud-issued certificate, networks and locations are verified by IP whitelists, and identities are verified against the JumpCloud cloud directory. 

In hybrid-remote and BYOD environments where Windows is no longer the default, JumpCloud’s OS-agnosticism prevents organizations from needing to purchase multiple products just to extend conditional access to every device. Instead, JumpCloud combines everything users need to Make (Remote) Work Happen® with one tool for admins to manage and one price tag for organizations to factor into their budgets. Better yet, it’s free to try for your first 10 users and 10 devices. We’ll even start you off with 10 days of premium 24/7 in-app live chat support to help you get set up. Get started with JumpCloud Free today.

Kelsey Kinzer

Kelsey is a passionate storyteller and Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter