In continuity to my previous article "Automatic hybrid Azure AD join for Windows 10 devices" this article explain what is conditional access policy from Azure AD and how it is applied. There are two types of conditional access can be used with NAM and Office 365. The first one is, create policy at NAM that if user is coming from internal IP address or client only release the token or SAML assertion to complete the federation.
The second type of conditional access is using Azure AD conditional Access. Azure portal provides configuration UI to create conditional access policy to be applied. This policy can only apply for modern authentication (ADAL) with Office 365. Conditional access policy can help with sign-in risk, Network login location, device state, user/group and client application accessed over web or cloud apps.
Prerequisites for Azure AD Conditional Access
Azure AD premium license for each user should be assigned to apply conditional access policies for those users. Azure AD Premium P1 license or greater on is required to use conditional access policy.
Device registered to Azure AD or Hybrid AD Join are eligible for conditional policy implementation. You should also understand that conditional access policy only works when modern authentication is used with Office 365 resources. Conditional access policy won’t apply to on-premises applications like local SharePoint or exchange.
Configuring Azure AD Conditional Access
Test Configured Conditional Access policy
Azure AD Conditional Access with Hybrid AD Join Device integrated with Access Manager