Why MFA isn't enough anymore!
And why Conditional Access Is the Only Perimeter Left
For years, Multi-Factor Authentication (MFA) was the golden standard for identity security. It absolutely raised the bar, but attackers evolve faster than your security baseline. Today, MFA is necessary but tragically insufficient.
Token fatigue attacks, SIM swapping, and MFA push notification spam are standard playbook entries for any capable threat actor. Waiting for the user to eventually accept that push notification or getting lucky with a token bypass is often all the attacker needs.
To truly secure the modern enterprise, you need a dynamic defense that evaluates every single access attempt against a matrix of real-time conditions. This is the mandate of Conditional Access (CA), and it is the non-negotiable enforcement mechanism of Zero Trust.
The CA Matrix: Factors Beyond the Password
Effective Conditional Access goes far beyond simply asking for a second factor. Your CA policies must look at four crucial, dynamic factors:
Device Compliance: The Health Check of the Endpoint - It is not enough to know who is signing in; you need to know what they are signing in from. This is where your CA platform must integrate tightly with your Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution (e.g. Jamf).
A robust device compliance policy checks technical specifics:
- Is the disk encrypted (BitLocker/FileVault)?
- Is the firewall enabled?
- Is the device running an approved operating system version (no access from end-of-life builds)?
- Most critically, is the EDR agent installed, running, and reporting a healthy status?
If the device fails any of these checks, the CA policy should immediately block access or redirect the user to an endpoint manager to fix the issue. It should never just issue a warning.Location and Behavior: Profiling the Unexpected - Simple location-based blocks are easily defeated by a $5 VPN. Modern CA uses Identity Threat Detection and Response (ITDR) engines to analyze user behavior. This includes looking for the classic Impossible Travel scenario i.e. a login from San Francisco followed by a successful login from Dubai an hour later. But it goes deeper. CA should profile normal user behavior e.g. a financial analyst rarely accesses the production source code repository. If they do, that unusual behavior should trigger a step-up authentication challenge and a high-priority alert to the SOC. You can also implement geofencing for your highest-risk applications. If an administrator is accessing your domain controller management console, that request should be blocked unless it originates from a pre-approved, monitored corporate network segment.
Real-Time Risk Score: The Dynamic Defense - The most powerful CA implementations integrate external threat intelligence into the access decision. For example, if your EDR platform detects a living-off-the-land attack (like PowerShell misuse or token dumping) on a user’s workstation, that EDR agent should immediately feed a high-risk score (e.g., Risk_Score = 90) back to the CA system. The CA policy then dictates an instant, dynamic response:
IF User_Identity IS Admin AND Risk_Score > 70 THEN Block All Access AND Revoke All Sessions.
If the score is medium, the policy might allow access only to email and challenge for re-authentication. This creates a dynamically shifting perimeter that adapts instantly to the threat state of the endpoint, providing true zero-trust enforcement.Application Sensitivity: Layered Protection Not all applications carry the same risk. Your CA structure must be tiered to protect the crown jewels while minimizing friction for day-to-day tasks. Segment your applications into Tiers 0, 1, and 2.
Tier 0 (Production Infrastructure, HR/Finance): Requires device compliance, behavior analysis, strong session length limits (e.g., 60 minutes), and MFA.
Tier 2 (Internal Wiki, HR Benefits Portal): Requires MFA and perhaps a simple geo-block. This layered approach ensures your most critical assets are protected by the most stringent rules, preventing a widespread loss of productivity while maintaining a strong security posture.
The Operational Reality
Implementing Conditional Access is not a set-it-and-forget-it project. It requires meticulous planning and rigorous testing.
Start small: implement CA policies for your administrator accounts first, then roll out to all users in report-only mode for several weeks to catch any false positives. Manage user friction by communicating why these policies are necessary. When users understand that the extra layer of security on their device protects their job and the company’s future, they become partners in the process, not obstacles.
Conditional Access is complex, but it is the reality of securing any organization that leverages the cloud.
Solid breakdown of why static perimeters don't cut it. The realtime risk scoring integration with EDR is where this gets practical though, most orgs struggle with the actual feedbackloop between endpoint telemetry and CA engines. Would be curious how you handle false positives when a legit user's behavoir suddenly shifts due to project changes or oncall rotations.