What is a conditional access policy?

Conditional access policies decide whether a user can access a resource by checking specific conditions at sign-in, such as whether the device is compliant, the user's location, and the risk level of the sign-in. If these conditions are met, access can be granted (often with additional verification if needed); if not, access can be blocked or require extra authentication. This approach embodies controlling access based on context, a core aspect of modern secure access models. The described policy—enforcing requirements like device compliance, location, and risk score before granting access—is the best fit. The other ideas don’t apply: always granting access ignores the contextual checks; a policy about password length is a credential rule, not conditional access; and setting user avatars is unrelated to access control.