Conditional Access is a Microsoft feature, which (at its simplest) enforces rules for user logon. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview For example, as an Australian business you may make a set of rules like: - A user cannot login outside of Australia - They must use strong MFA to logon - Their logon sessions only last 2 days at maximum - Their user does not have any "At Risk" warnings against it This is a fail to safety approach. Rather than enabling features per user, it sets it at an organisation level. A new team member joins the company, and their first logon makes them set up MFA. If they are phished, or compromised, their logon only works within a very small part of the world. They need to reauthenticate once a week. Any automated flags against their account forces investigation.