Conditional Access before or after submitting credentials

David Marques 41 Reputation points


I have a question about conditional access and the Logs that are generated on Azure AD.

Is conditional access policies (for example I have one configured to block access from specific countries) applied before or after authentication attempts?

It's important to know due to some security analysis I'm doing right now.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,521 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,536 Reputation points Microsoft Employee

    @David Marques
    Thank you for your post!

    When it comes to Conditional Access Policies, this is where a user is prompted during the sign-in process (after login with username and password) for an additional form of identification (i.e. SMS, Authenticator app, OAUTH token, etc.). For more info.

    Additional Links:
    What is Conditional Access?
    Create a Conditional Access policy
    What authentication and verification methods are available in Azure Active Directory?

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Alan Kinane 16,811 Reputation points MVP

    This would be after you enter your credentials as you have to identify who the user is first in order for the policies to apply so the user will need to authenticate first and then the CA policy will allow or block the user based on the conditions that you have set.

    1 person found this answer helpful.
    0 comments No comments