Every Conditional Access decision comes down to three signals: who you are, what you are using, and how that session behaves. Most admins invest heavily in the identity layer and under-invest in device and session controls. This article breaks down each pillar: identity evaluation (MFA, authentication strength, sign-in risk, user risk, PIM), device evaluation (compliance, hybrid join, device filters, managed vs unmanaged), session evaluation (sign-in frequency, persistent browser, CAE, token protection, adaptive lifetime), how the three pillars combine in CA policy logic with the "most restrictive wins" rule, when to focus on which pillar by scenario, common policy patterns, and where this model breaks in real environments.
