Pricing  Get Quote

Conditional access policies

Automate access decisions with conditional access

The remote work model has proven to be advantageous to both organizations and employees and is here to stay. As remote users are more susceptible to cyberattacks, strict security measures like multi-factor authentication (MFA) need to be enforced to prevent data breaches. However, applying a stringent, organization-wide access policy like MFA might have adverse effects on the user experience. While two- or three-factor authentication can secure remote logins, it might be an unnecessary hassle for on-premises users already secured within the perimeter of the office. A more efficient approach is to apply access policies based on context. ADSelfService Plus' Conditional Access feature helps achieve this. This aids organizations in:

  • Implementing access controls without IT administrator intervention.
  • Improving an organization's security posture without affecting the user experience.

What is conditional access?

Conditional access implements a set of rules that analyze various risk factors, such as IP address, time of access, device, and the user's geolocation, to enforce automated access control decisions. The decisions are implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This ensures an enhanced user experience without affecting security.

Some of the common scenarios and the corresponding security measures that can be applied using conditional access include:

  • Mandating multi-factor verification for privileged users.
  • Mandating MFA for off-site access to business-critical applications for all employees.
  • Blocking access to high-risk actions like password reset requests from untrusted IPs or unknown devices.

How does a conditional access policy work?

Before learning how conditional access works, let's look at the basics of building a conditional access rule:

  1. Conditions

    This includes the list of factors that may make or break the security of your organization. ADSelfService Plus enables you to configure conditions based on the following risk factors:

    • IP address (trusted and untrusted)
    • Device (device type and platform)
    • Business hours (business hours and non-business hours)
    • Geolocation (based on request origin)
  2. Criteria

    After configuring the conditions, criteria can be devised using operators like AND, OR, or NOT. It is this criteria that is associated with the access policy.

  3. Access policy

    The criteria is then associated with a preconfigured access policy, referred to in ADSelfService Plus as a self-service policy. IT admins can create self-service policies and enable specific features for users belonging to particular domains, organizational units (OUs), and groups.

For more details about building conditional access rules, check out the guides on self-service policy and conditional access configuration.

Once a conditional access rule is built, here is what happens:


  1. A user attempts to log in to their machine, or after logging in, tries to access an application or one of the self-service features in ADSelfService Plus.
  2. Based on predefined conditions, risk factors such as the user's IP address, time of access, and geolocation are analyzed.
  3. If the data satisfies the conditions, the user is assigned to a self-service policy that enables one of these actions:
    • Complete access to the domain account and features
    • Secure access using MFA
    • Limited access to certain features
    • Restricted access to particular features
  4. If the user does not satisfy any of the configured conditional access rules, a self-service policy will be applied based on the user's group or OU.

Use cases illustrating how a conditional access policy works

Use case 1: When remote logins to an organization's Active Directory (AD) domain need to be secured using MFA

In our example, consider that on-premises users make up 50% of your organization's workforce. Another 20% are remote users. The remaining 30% are users that alternate between remote and on-premises work models as required. We will have to enforce MFA for users who log in remotely. Leveraging conditional access for this scenario involves:

  1. Enforcing a self-service policy that enables endpoint MFA.
  2. Configuring two conditions:
    • IP address: A list of trusted IP addresses is provided.
    • Location: Selecting locations outside the organization's premises.
  3. Creating the following criteria:
    • (NOT trusted IP addresses) AND selected locations
  4. The criteria is associated with a self-service policy.

Here is how this conditional access policy will work:

When a user tries to log in to a machine, the user's IP address and geolocation are analyzed. If it is not a trusted IP address and a selected geolocation, the criteria is satisfied and the user is assigned the self-service policy that enforces endpoint MFA. When the conditions aren't satisfied, any other self-service policy that applies to the user is assigned.

Use case 2: Allow only users with domain-joined machines to access enterprise applications using SSO

Enterprise applications are often used to process and store sensitive user data. Since most of these applications are now deployed in the cloud and outside the security perimeter of your network, they are a favorite target for cyberattackers. They use phishing and other attack techniques to gain access to the applications and exfiltrate data remotely. With conditional access, you can allow only users who have a domain-joined computer to access important applications that contain sensitive data. You can go one step further and permit only a list of trusted IP addresses to access critical applications, ensuring that attackers can't have access to these applications even if they steal your users' credentials. Here is an example for configuring a conditional access rule for this scenario:

  1. Configuring a self-service policy that enables SSO for the required applications.
  2. Configuring two conditions:
    • IP address-based: A list of trusted IP addresses is provided.
    • Device-based: All domain-joined computer objects are selected.
  3. Creating the following criteria:
    • Trusted IP addresses AND Selected computer objects
  4. Associating the criteria with the created self-service policy.

Here is how this conditional access rule will work:

When a user tries to log in to an enterprise application through SSO, the device IP address and type are analyzed. If it is a trusted IP address and the computer object belongs to the AD domain, the criteria created is satisfied. Then, the self-service policy associated with the criteria is assigned to the user. This enables the user to access enterprise applications using SSO.

Benefits of enabling conditional access with ADSelfService Plus

  • Use over 20 advanced authentication factors to implement MFA
  • Moderate access to machines, VPNs, RDP, OWA, and the Exchange admin center from a single console
  • Enable granular conditional access policies for different departments in the organization

Fortify access management with risk-based contextual authentication.

Get Your Free Trial  

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by