Conditional access is a security rule that decides whether to allow, challenge or block a login based on the circumstances, not just whether the password is correct. The same valid credentials can sail through from a trusted office laptop and get stopped cold from an unknown phone abroad.

Think of a doorman who knows the regulars. A familiar face on a normal evening walks straight in. The same person showing up at 3am with a stranger gets a few questions first. Conditional access applies that judgement to logins: it weighs the device, the location, the time and the apparent risk, then reacts. A clean, expected sign-in passes quietly, while a suspicious one triggers multi-factor authentication or an outright block.

This is a core building block of a zero trust approach, where no login is trusted by default and every attempt is judged on its merits. It sits on top of normal authentication and sharpens it.

A common policy looks like this: from a managed laptop on the office network, staff sign in normally. From a personal phone on hotel wifi, the same person gets prompted for a one-time code. And a login attempt from a country where the company has no staff gets blocked outright. The point is to add friction only where the risk is, so honest users barely notice while an attacker with a stolen password runs into a wall.

The big caveat is that a rule which is too strict turns into a support problem. Lock things down so hard that staff cannot log in from home or while travelling, and they will either flood the helpdesk or start looking for ways around it. So the work is mostly in tuning: tight enough to stop the obvious attacks, loose enough that real work still gets done.

At TopDevs we set up conditional access so risky logins meet real friction while your team’s everyday access from trusted devices stays quick and quiet.