Conditional Access
Microsoft Entra identity policy framework restricting access based on user, device, location and risk signals; cited as insufficient in Stryker and BRICKSTORM incidents.
Last refreshed: 17 April 2026
Would Conditional Access have stopped Handala from wiping Stryker's devices?
Timeline for Conditional Access
Mentioned in: Handala wipes 200,000 devices at Stryker
Cybersecurity: Threats and DefencesMentioned in: GRU hijacks home routers for M365 logins
Cybersecurity: Threats and Defences- What is Microsoft Conditional Access and how does it work?
- Conditional Access is Microsoft Entra Identity's policy engine that enforces access controls based on user, device, location and risk signals. It can require MFA, device compliance or session controls before granting access to Microsoft 365 apps and admin functions.Source: Microsoft
- Could better Conditional Access have stopped the Stryker hack?
- Yes. If Stryker had Conditional Access policies requiring step-up authentication for mass-destructive MDM actions (like mass device wipe), the stolen admin credential alone would not have been sufficient for Handala to execute the attack.Source: Lowdown analysis / Obsidian Security
Background
Conditional Access policies in Microsoft Entra Identity were a central reference point in the post-Stryker analysis: Stryker's MDM admin account lacked sufficient Conditional Access, break-glass and session-binding controls to prevent Handala's use of a stolen credential to wipe devices at scale. Separately, UNC5221's BRICKSTORM intrusions achieved persistent mail access via Microsoft Entra Identity Enterprise App permission scopes that should have been caught by a recurring Conditional Access and consent-grant review.
Conditional Access is Microsoft's policy engine for enforcing identity-based access controls in Entra ID. Policies can require specific device compliance states, multi-factor authentication, IP location restrictions, sign-in risk scores, and session controls. For MDM administrator accounts, Conditional Access can enforce step-up authentication for high-risk actions; in most enterprise deployments, these controls are configured for routine admin access rather than mass-destructive operations.
For identity and access management teams, the Stryker and BRICKSTORM incidents together define the Conditional Access configuration gaps attackers exploit. Both incidents are now reference cases for the ICO's and NCSC's GDPR-enforcement framing: inadequate Conditional Access posture for privileged accounts is a documented Article 32 GDPR breach risk under the Advanced Computer Software and Capita enforcement precedents.