Data Security, Microsoft Certification, Cybersecurity, AI Security, AB-900

Understand conditional access policies (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand conditional access policies

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations must secure access to Microsoft 365 resources while still allowing users to work from anywhere and on many different devices. Traditional security models that rely only on usernames and passwords are no longer sufficient.

Conditional Access is one of the most important security features in Microsoft Entra. It helps organizations make intelligent access decisions based on various conditions and risk signals.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand what Conditional Access is, how policies work, and the common controls used to protect Microsoft 365 resources.

What Is Conditional Access?

Conditional Access is a feature of Microsoft Entra ID that evaluates signals and applies access controls before allowing users to access resources.

It is often described as:

“If this condition exists, then perform this action.”

Examples:

  • If a user signs in from outside the company network, require Multi-Factor Authentication.
  • If a device is not compliant, block access.
  • If a sign-in is considered high risk, deny access.

Conditional Access supports Microsoft’s Zero Trust security strategy.

Why Conditional Access Is Important

Conditional Access helps organizations:

  • Strengthen identity security.
  • Reduce unauthorized access.
  • Protect sensitive information.
  • Enable secure remote work.
  • Support compliance requirements.
  • Apply adaptive security controls.

Instead of trusting every sign-in automatically, Conditional Access evaluates each access request individually.

How Conditional Access Works

A Conditional Access policy generally contains three components:

1. Assignments (Who and What?)

Defines:

  • Users or groups
  • Applications
  • Conditions

2. Conditions (When?)

Conditions determine when the policy applies.

Examples:

  • Location
  • Device platform
  • Sign-in risk
  • User risk
  • Client applications

3. Access Controls (What Happens?)

Controls determine the action taken.

Examples:

  • Require MFA
  • Require a compliant device
  • Require password change
  • Block access

Common Components of a Conditional Access Policy

Users and Groups

Policies can target:

  • All users
  • Specific users
  • Security groups
  • Administrative accounts

Organizations often apply stricter policies to privileged users.

Cloud Apps and Resources

Policies can protect:

  • Microsoft 365 applications
  • Teams
  • Exchange Online
  • SharePoint Online
  • Custom applications

Different applications can have different requirements.

Conditions Used by Conditional Access

Location

Policies can evaluate where users are signing in from.

Examples:

  • Trusted corporate locations
  • External networks
  • Specific countries or regions

Example:

If sign-in occurs outside the corporate network,
require MFA.

Device Platform

Policies can apply to:

  • Windows
  • macOS
  • iOS
  • Android

Organizations may choose to treat platforms differently.

Device State

Conditional Access can determine whether devices are:

  • Compliant
  • Hybrid joined
  • Managed

Organizations can block unmanaged devices.

Sign-In Risk

Microsoft evaluates sign-ins for suspicious activity.

Examples:

  • Impossible travel
  • Unusual locations
  • Anonymous IP addresses

Higher-risk sign-ins may trigger additional controls.

User Risk

User risk reflects the likelihood that a user’s account has been compromised.

Examples:

  • Leaked credentials
  • Suspicious behavior

Organizations can require password changes or block access for risky users.

Access Controls

After evaluating conditions, Conditional Access applies controls.

Require Multi-Factor Authentication

One of the most common controls.

Example:

Require MFA for all administrator accounts.

Benefits:

  • Stronger identity protection.
  • Reduced credential theft.

Require Device Compliance

Users must use devices that meet organizational standards.

Examples:

  • Encryption enabled
  • Antivirus installed
  • Latest updates applied

This often integrates with Microsoft Intune.

Require Hybrid Microsoft Entra Joined Devices

Ensures access is granted only to approved organizational devices.

Require Password Change

Used when a user account is considered compromised.

Block Access

The most restrictive control.

Examples:

  • Block high-risk users.
  • Block unsupported devices.
  • Block access from certain locations.

Named Locations

Named locations allow administrators to define trusted locations.

Examples:

  • Corporate offices
  • Specific IP address ranges

Trusted locations can reduce unnecessary MFA prompts while maintaining security.

Conditional Access and Multi-Factor Authentication

Conditional Access frequently works together with MFA.

Examples:

Scenario 1

User signs in from home.

Result:

  • Require MFA.

Scenario 2

User signs in from a trusted office.

Result:

  • Allow access without additional prompts.

This creates a balance between security and user convenience.

Conditional Access and Device Compliance

Organizations often require devices to be:

  • Managed by Intune.
  • Encrypted.
  • Updated.
  • Secure.

If devices fail compliance requirements, access may be denied.

Conditional Access and Zero Trust

Conditional Access directly supports all three Zero Trust principles.

Verify Explicitly

Evaluate identity, device, location, and risk.

Use Least Privileged Access

Restrict access when necessary.

Assume Breach

Continuously evaluate security signals.

Conditional Access and Microsoft 365 Copilot

Microsoft 365 Copilot uses the same identity and access controls that protect Microsoft 365.

Conditional Access policies can affect access to:

  • Microsoft Teams
  • SharePoint Online
  • Exchange Online
  • OneDrive
  • Copilot experiences

Copilot does not bypass Conditional Access requirements.

Best Practices

Enable MFA for All Users

MFA is one of the strongest protections available.

Protect Administrator Accounts

Apply stricter controls to privileged users.

Require Compliant Devices

Reduce risks from unmanaged devices.

Use Trusted Locations Carefully

Avoid creating unnecessary exceptions.

Follow the Principle of Least Privilege

Grant only necessary access.

Benefits of Conditional Access

Organizations gain:

Adaptive Security

Policies adjust based on risk and conditions.

Improved User Experience

Security requirements appear only when necessary.

Stronger Identity Protection

Compromised accounts are easier to detect and control.

Support for Remote Work

Users can work securely from anywhere.

Zero Trust Alignment

Every access request is evaluated individually.

Exam Tips

Remember these key AB-900 concepts:

  • Conditional Access is part of Microsoft Entra.
  • Policies use an if-then approach.
  • Conditions include location, device state, sign-in risk, and user risk.
  • Access controls include requiring MFA, requiring compliant devices, and blocking access.
  • Conditional Access works closely with Intune and Microsoft Entra ID.
  • Named locations define trusted networks.
  • Conditional Access supports Zero Trust principles.
  • Microsoft 365 Copilot respects Conditional Access policies.
  • Administrator accounts typically receive stricter protections.
  • Conditional Access improves both security and usability.

Practice Exam Questions

Question 1

What is the primary purpose of Conditional Access?

A. Increase mailbox quotas
B. Automatically create Teams channels
C. Apply access decisions based on conditions and risk signals
D. Replace Microsoft Defender

Correct Answer: C

Explanation: Conditional Access evaluates various signals and determines whether access should be allowed, restricted, or blocked.

Question 2

Conditional Access is a feature of which Microsoft service?

A. Microsoft Entra ID
B. Exchange Online
C. Microsoft Purview
D. SharePoint Online

Correct Answer: A

Explanation: Conditional Access is provided through Microsoft Entra ID and is used to secure access to resources.

Question 3

Which statement best describes how Conditional Access works?

A. Use an “if condition, then action” model.
B. Always allow access.
C. Disable all external connections.
D. Eliminate authentication requirements.

Correct Answer: A

Explanation: Conditional Access evaluates conditions and applies controls accordingly.

Question 4

Which condition can be evaluated by Conditional Access?

A. Printer model
B. Monitor size
C. Mouse type
D. Sign-in risk

Correct Answer: D

Explanation: Sign-in risk is one of the security signals used when evaluating access requests.

Question 5

Which access control commonly works with Conditional Access to strengthen security?

A. Shared mailboxes
B. Multi-Factor Authentication
C. Distribution lists
D. Document versioning

Correct Answer: B

Explanation: MFA is frequently required through Conditional Access policies.

Question 6

What is the purpose of named locations?

A. Define trusted networks and IP ranges
B. Store SharePoint documents
C. Create Teams channels
D. Manage email retention

Correct Answer: A

Explanation: Named locations identify trusted locations that can influence policy behavior.

Question 7

Which Microsoft solution often works with Conditional Access to evaluate device compliance?

A. Microsoft Lists
B. Microsoft Planner
C. Microsoft Intune
D. Microsoft Forms

Correct Answer: C

Explanation: Intune provides device management and compliance information used by Conditional Access.

Question 8

Which action represents the most restrictive access control?

A. Require MFA
B. Require password change
C. Require compliant device
D. Block access

Correct Answer: D

Explanation: Blocking access completely prevents users from reaching resources.

Question 9

Which Zero Trust principle is most directly supported by Conditional Access?

A. Verify Explicitly
B. Trust Internal Networks
C. Open Access First
D. Eliminate Authentication

Correct Answer: A

Explanation: Conditional Access evaluates multiple signals before granting access, which aligns with Verify Explicitly.

Question 10

How does Microsoft 365 Copilot interact with Conditional Access policies?

A. Copilot bypasses policies.
B. Copilot disables MFA requirements.
C. Copilot ignores device compliance rules.
D. Copilot follows the same Conditional Access requirements as Microsoft 365 resources.

Correct Answer: D

Explanation: Copilot inherits existing identity and access controls and does not bypass security policies.

Go to the AB-900 Exam Prep Hub main page

Leave a comment