# Conditional Access

Conditional Access policies at their simplest are if-then statements; **if** a user wants to access a resource, **then** they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

<figure><img src="/files/j7kYfSYBHe9yT2ZA2q3g" alt=""><figcaption></figcaption></figure>

## Findings flaws

Conditional access management can be very hard. Now that Microsoft is enforcing MFA since 2025, a lot of exceptions are being made in conditional access. This allows attackers to match/bypass a policy and still get access. Also, some conditional access policies like OS or location can be matched by just modifying the user-agent header or changing to a "safe" country by VPN.

{% hint style="warning" %}
A big problem is that someone from the outside never knows **why** the authentication fails (which condition they don't meet).
{% endhint %}

### Access tokens

When you get an access token, you are not authenticating anymore. So this always bypasses conditional access. However, [CAE ](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation)could still be an problem.

### Device platforms

<figure><img src="/files/0c2xAXsh8pVrEPz4BYkQ" alt=""><figcaption></figcaption></figure>

Check by modifying the `user-agent` header if you can login.

### Location

Location can be GEO-based and IP-based. <https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network>. A lot of times, the company WAN address(es) is included as a safe location. So if you manage to compromise a system within that internal network, or a application with for example a `managed identity`, try to authenticate through that system/application.

### Get conditional access policies

```
roadrecon plugin policies
```

This will write all conditional acccess information to a .html file


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/service-discovery-recon-enumeration-and-initial-access-attacks/conditional-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.