What is conditional / risk-based access and how does it work?
Short answer
Conditional access makes the access decision depend on context rather than a fixed rule. It evaluates signals — who the user is, device compliance, location, the app, and a computed risk score from anomaly detection — and responds proportionally: allow, block, or require step-up like MFA or a compliant device. Risk-based access is the dynamic variant where a real-time risk signal drives the policy.
A static "allow if password is correct" decision wastes information. Conditional access (and its dynamic cousin, risk-based access) makes the authorization decision a function of context, so the system can be lenient when everything looks normal and strict when it doesn't.
How the decision is made
A policy engine combines signals at the moment of access:
- Identity — who is the user, what group/role.
- Device — is it managed, compliant, patched, encrypted?
- Location and network — known country, corporate IP, impossible-travel checks.
- Application sensitivity — finance app vs. cafeteria menu.
- Risk score — a real-time signal from anomaly detection (leaked-credential matches, unfamiliar sign-in patterns, atypical token usage).
The engine then responds proportionally: allow, block, or step up by requiring MFA, a compliant device, or password reset. This is the enforcement layer that makes Zero Trust practical.
Risk-based authentication specifically
Risk-based auth feeds a continuously-computed risk score into the policy. A login from the user's usual device and city sails through; the same account suddenly authenticating from a new country on an unmanaged device triggers MFA or a block. The point is to add friction only where the data justifies it.
The trap: friction and false positives
Overly aggressive policies lock out legitimate users (a sales rep traveling, a VPN exit node) and breed workarounds. Good design uses graduated responses (step-up, not hard block) and tunes against real telemetry, and it always preserves a recovery path so a bad signal doesn't strand someone permanently.
What interviewers look for: you describe context signals plus proportional responses (allow/block/step-up), you tie it to Zero Trust enforcement, and you acknowledge the usability/false-positive trade-off.
Likely follow-ups
- What signals would you weigh when scoring login risk?
- What is 'step-up' authentication and when should it trigger?
- How do you avoid blocking legitimate users with overly aggressive policies?