What is conditional access?
Table of contents
Also known as
Definition
Conditional access policies check a set of conditions before letting anyone in. Meet them, you're in. Don't, you're not.
Those conditions are built on signals: who they are, what device they're on, where they're signing in from, and how risky the sign-in looks.
Depending on what they meet, access is granted, blocked, or limited. For example, you can require MFA for admins, block sign-ins from certain locations, or restrict what users can do in a session.
tip
Before creating CA policies, map what needs protecting and where your biggest vulnerabilities are. The policies that give you the most immediate benefit are usually the ones covering admin accounts and risky sign-ins. Microsoft’s conditional access templates are a good place to start.
Why it matters
Conditional access touches more than security. It shapes who can reach Microsoft 365, under what conditions, and from where. That affects how migrations run, how guests behave, and whether legitimate users get blocked at the wrong moment.
- Governance & security: Security defaults give you a baseline. Conditional access policies give you control over who gets in, from where, on what device, and under what risk conditions.
- Day-to-day operations: CA policies shape the daily Microsoft 365 experience for every user in your tenant: how they sign in, what they can access, and when they get prompted for more verification.
Commonly confused with: SharePoint permissions
SharePoint permissions control what a user can do inside a site—read, edit, manage. Conditional access controls whether they can reach it at all. The two operate at different layers. A user can have full SharePoint permissions and still be blocked by a conditional access policy before they get to the site.
Frequently asked questions
Can conditional access block migrations?
Yes. Conditional access policies that require compliant devices or enforce session controls can block migration tools from downloading content, including ShareGate Migrate. The error message is specific: "The object could not be migrated. This can happen when an organization restricts access with labels or Conditional Access policies." The fix is to identify the blocking policy in Entra ID and exclude the migration service account from it. If you don't have Entra admin access, you'll need a global admin to make the change.
How does conditional access relate to MFA?
MFA is one control that a conditional access policy can require, but it’s not the same thing as conditional access. A policy might require MFA for all admin sign-ins, or only when someone signs in from outside a trusted location. Conditional access is the engine that decides when MFA applies, who it applies to, and what happens if it isn't completed.
Who should own conditional access policies?
At minimum, a Security Administrator or Conditional Access Administrator role in Microsoft Entra. In practice, ownership usually spans security and IT. Security sets the requirements and IT implements and maintains the policies. The risk of having unclear ownership: policies get created, forgotten, and later discovered when they block something unexpected, like a migration tool or a new guest user flow.
What exceptions are safe to make?
Microsoft recommends always excluding emergency access accounts (break-glass accounts) from all conditional access policies to prevent lockout. Service accounts used by migration tools or automation can be excluded from specific blocking policies but exclusions should be documented, time-limited where possible, and reviewed regularly. An exception that was temporary and never got cleaned up is how shadow access builds up over time.



