Conditional Access for Zero Trust

The articles in this section provide a design and framework for implementing Zero Trust principles by using Conditional Access to control access to cloud services. The guidance is based on years of experience with helping customers control access to their resources.

The framework presented here represents a structured approach that you can use to get a good balance between security and usability while ensuring that user access is controlled.

The guidance suggests a structured approach for helping to secure access that's based on personas. It also includes a breakdown of suggested personas and defines the Conditional Access policies for each persona.

Intended audience

This guidance is intended for individuals who:

  • Design security and identity solutions to control access to Azure protected resources.
  • Maintain solutions after they're delivered.

The intended audience has a basic working knowledge of Microsoft Entra ID and a general understanding of multi-factor authentication, Conditional Access, identity, and security concepts.

Knowledge in the following areas is also recommended:

  • Microsoft Endpoint Manager
  • Microsoft Entra identity management
  • Microsoft Entra Conditional Access and multi-factor authentication for guest users (B2B)
  • Microsoft Entra security policies and resource protection
  • The B2B invitation process


Every company has different requirements and security policies. When you create an architecture and follow this suggested framework for Conditional Access, you need to take your company's requirements into account. The guidance includes principles that are related to Zero Trust that you can use as input when you create an architecture. You can then address specific company requirements and policies and adjust the architecture accordingly.

For example, a company might have these requirements:

  • All access must be protected by at least two factors.
  • No data on unmanaged devices.
  • Require a compliant device for access to resources, whenever possible.
  • Guest user access must be governed by Identity Governance using access packages and access reviews.
  • Access to cloud services must be based on passwordless authentication.

Conditional Access guidance

This section includes the following articles:


This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps