In plain English
Conditional Access is like a smart security gate for your Microsoft environment. Instead of simply accepting a correct password, it checks: Is this user's account at risk? Is the device managed and compliant? Is the login coming from an unusual location? Only when all conditions are met does it grant access — otherwise it can block, challenge with MFA, or limit what the user can do.
Full definition
Conditional Access policies are built as if-then rules: if a user meets certain conditions, then apply specific access controls. Conditions can include user or group membership, application being accessed, device platform and compliance state, IP location, and sign-in risk score from Protection.
Common policy patterns include: requiring for all users, blocking legacy authentication protocols (SMTP AUTH, POP, IMAP), requiring compliant devices for access to sensitive data, and applying app-enforced restrictions on unmanaged devices.
Policies should always be tested in Report-Only mode before enforcement. A misconfigured policy can lock all users — including admins — out of critical systems.