What's Conditional Access?

Is this page helpful?

Conditional Access refers to ways you can control the devices and apps that are allowed to connect to your email and company resources. In this topic, learn about device-based and app-based Conditional Access, and find common scenarios for using Conditional Access with Intune.

Enterprise Mobility + Security (EMS) Conditional Access is not a standalone product, it’s a solution that takes part on all services and products that are part of the EMS. It provides granular access control to keep your corporate data secure, while giving users an experience that allows them to do their best work from any device, and from any location.

You can define conditions that gate access to your corporate data based on location, device, user state, and application sensitivity.


Conditional Access also extends its capabilities to Office 365 services.

Conditional Access architectural diagram

Conditional Access with Intune

Conditional Access is an Azure Active Directory capability that is included with an Azure Active Directory Premium license. Intune enhances this capability by adding mobile device compliance and mobile app management to the solution.

Intune and Conditional Access when using EMS

Ways to use Conditional Access with Intune:

  • Device-based Conditional Access

    • Conditional Access for Exchange on-premises

    • Conditional Access based on network access control

    • Conditional Access based on device risk

    • Conditional Access for Windows PCs

      • Corporate-owned

      • Bring your own device (BYOD)

  • App-based Conditional Access

Next steps

Common ways to use Conditional Access with Intune