4.2 Signals and Controls
Key Takeaways
- Signals are contextual inputs used when evaluating access.
- Controls are the outcomes or requirements applied to the access request.
- MFA can appear as a control when a policy requires stronger proof before access.
- Understanding signals and controls helps separate Conditional Access from basic authentication.
Signals are context
A signal is information used to evaluate an access request. In SC-900 wording, the exact signal may be less important than the idea that access is not decided in a vacuum. The request has context: an identity, a target resource, and conditions around the sign-in. Conditional Access uses that context to decide whether a control should apply. This is why the topic belongs with Zero Trust and identity rather than pure network security.
- Signals describe the request context.
- Signals help decide whether a policy applies.
- Signals do not themselves grant permanent access.
- Signals become useful when paired with controls.
Controls are requirements or actions
A control is what the policy does after conditions are evaluated. It might require stronger authentication, allow access only when requirements are met, or block access when the request should not proceed. The SC-900 skill is matching the business need to this decision pattern. If the organization wants access to depend on context, the scenario is more likely Conditional Access than simple password management.
| Element | Plain-language role |
|---|---|
| Signal | What is known about this request? |
| Condition | Does the policy match the request? |
| Control | What action or requirement follows? |
| Result | Access proceeds, changes, or is stopped |
MFA as a control in context
MFA can appear in two ways across these chapters. In the authentication chapter, MFA is an authentication capability that adds proof. In Conditional Access, requiring MFA can be the control applied when a policy condition is met. That does not change what MFA is; it changes how the exam scenario frames it. If the question says all users need stronger sign-in proof, think MFA. If it says access should depend on conditions, think Conditional Access.
- MFA alone: authentication improvement.
- MFA required by policy: Conditional Access control.
- Access review: governance process, not MFA.
- Privileged role activation: PIM, not MFA.
A short elimination method
Start by labeling each phrase in the question. Words about context are signals. Words about requirements are controls. Words about continued access need are governance. Words about temporary administrator privileges are PIM. This method keeps you from choosing a familiar product just because it appears in the same objective area. The exam rewards the most specific identity capability.
- Context wording: signal.
- Required action wording: control.
- Recertification wording: access review.
- Elevated role wording: Privileged Identity Management.
Exam anchor
Signals and controls are useful because they turn policy wording into a simple pair. The signal is what the policy knows about the request. The control is what the policy requires or enforces. If you can label those two pieces, most Conditional Access answer choices become easier to eliminate.
- What is known: signal.
- What must happen: control.
- What is being reviewed: governance.
- What is being elevated: privileged access.
In Conditional Access, what is a signal?
A policy requires users to complete MFA only when certain access conditions apply. Which concept is MFA serving in that policy?
Which pair best matches Conditional Access vocabulary?