Conditional access is a policy-based approach that makes resource access dependent on the request context — such as device type, location, user status, risk assessment, or time of day. Microsoft’s Entra ID Conditional Access is the best-known implementation.
In an ISMS, conditional access implements ISO 27001 Annex A controls A.5.15 (Access Control), A.8.1 (User Endpoint Devices), and A.8.5 (Secure Authentication). Typical rules: enforce MFA for access from unknown locations, verify device compliance before accessing confidential data, block legacy protocols, and limit session duration under elevated risk. Conditional access is a central building block of zero-trust architectures because each request is individually evaluated.