Passwords alone are no longer an acceptable method of protecting access to cloud resources. Industry data consistently shows that compromised credentials are the leading attack vector in cloud breaches. Conditional Access and Multi-Factor Authentication (MFA) are the two most effective controls for mitigating this risk — and they work best when deployed together as part of an adaptive access strategy.
This lesson explains how Conditional Access and MFA function in cloud environments, why they must be mandatory for all cloud access, and how executives can ensure these controls are implemented effectively without creating unacceptable friction for legitimate users.
MFA as the Baseline Control
Multi-Factor Authentication requires users to provide two or more verification factors: something they know (password), something they have (a device or security key), and something they are (biometrics). In cloud environments, MFA should be considered a non-negotiable baseline:
- All human users accessing cloud management consoles, administrative portals, or sensitive data should be required to authenticate with MFA. No exceptions for executives or senior leaders — these accounts are the highest-value targets for attackers.
- Phishing-resistant MFA such as FIDO2 security keys or platform authenticators should be preferred over SMS-based codes or simple push notifications, which are vulnerable to real-time phishing and MFA fatigue attacks.
- Break-glass accounts — emergency access accounts that bypass MFA — must exist but should be stored securely, monitored for any use, and tested regularly to ensure they function when needed.
Diagram
Conditional Access Decision Flow
Flowchart showing how a Conditional Access engine evaluates user identity, device compliance, location, application sensitivity, and risk score to determine whether to allow, block, or require step-up authentication.
Conditional Access — Context-Aware Security
While MFA verifies identity, Conditional Access evaluates the context of each access request and applies appropriate controls dynamically. A Conditional Access policy evaluates signals such as:
- User identity and group membership — different roles receive different access requirements
- Device compliance — is the device managed, encrypted, and running current security patches?
- Location — is the request originating from a trusted network, a known geography, or an unexpected region?
- Application sensitivity — accessing a public marketing site requires different controls than accessing financial systems
- Real-time risk assessment — platforms like Azure Entra ID Protection assign risk scores based on threat intelligence and anomaly detection
Based on these signals, Conditional Access can allow access, require additional verification, limit access to specific applications, or block the request entirely.
Action steps for your organisation:
- Mandate MFA for all human users accessing cloud services — prioritise administrative and privileged accounts first
- Deploy phishing-resistant MFA methods and create a timeline for deprecating SMS-based verification
- Implement Conditional Access policies that evaluate device compliance, location, and risk signals
- Establish and secure break-glass accounts with monitoring alerts for any usage
Quick Knowledge Check
- Why should SMS-based MFA be replaced with phishing-resistant methods?
SMS codes can be intercepted through SIM swapping or real-time phishing proxies. Phishing-resistant methods like FIDO2 security keys use cryptographic verification tied to the legitimate service, making them immune to these attacks. - What is the difference between MFA and Conditional Access?
MFA verifies that the user is who they claim to be by requiring multiple authentication factors. Conditional Access evaluates the broader context of the request — device, location, risk, and application — to determine what level of access to grant.