A security pattern where access to a resource is granted only if the requesting device's posture signal meets a threshold. The signal — typically a Security Score from a Device Trust Platform — represents how well the device matches a security baseline.
Conditional Access started as identity-only: "this user signed in from this IP at this time with this MFA factor — can they access this resource?". That works until the right user is on a wrong device — disk unencrypted, firewall off, OS three versions behind. The right answer is "no" and the identity-only system cannot say no, because the signal it needs is not in its data model. Device posture is the missing half. A Device Trust Platform supplies it.
User opens a resource (SaaS app, internal service, tailnet host). The identity provider intercepts and applies a Conditional Access policy.
The policy checks identity, MFA, then queries the Device Trust Platform for the device's current Security Score. The score must clear the resource's threshold.
If score clears, grant. If not, deny with a remediation message ("update macOS, re-scan, try again"). The user fixes the issue, score recovers, access works.
Start permissive. Monitor the distribution of fleet scores for two weeks. Set thresholds where the distribution suggests a natural baseline. Communicate before enforcing.
Free for up to 10 devices. Security Score API for integration with Okta / Azure AD / Tailscale / JumpCloud.
Get started free →