If Brenda from Accounts attempted to login from Somalia, do you have conditional access setup so that she (or it might be he) doesn’t have easy access to the Crown Jewels?…:
[…] Policy enforcement is determined by scenarios and factors (signals) that exist within those scenarios. The rules and factors represent concentric rings of trust: starting with a robustly trustable identity, then fanning out to use signals such as robust 2FA, device type, attributes of a user, e.g., a role claim, operating system, location, and so on. These signals can be collated to build a level of trust that informs the access decision, i.e., can that user access this resource or not? Do they need additional credentials to provide access?
Signals are the perimeter now, and the drawbridge we can pull up is controlled by conditional access. The challenge for business IT departments now is how to define those policies, how to validate them and how to manage them. The more users you have with more varying access requirements the harder this becomes, and it is a challenge that hasn’t yet been fully met.