
Explanation:
provide control over how users can access cloud apps.
The correct answer is provide control over how users can access cloud apps . Microsoft Learn defines Microsoft Entra Conditional Access as the Zero Trust policy engine that uses if-then logic to make access decisions. Microsoft states that Conditional Access policies determine who can access resources, what resources they can access, and under what conditions . These policies can require actions such as multifactor authentication, compliant devices, or other controls before allowing access to applications and services like Microsoft 365. That means Conditional Access is specifically used to control how users access cloud apps .
The other options are incorrect. Conditional Access policies are not configured by using the Microsoft Defender portal ; they are managed in the Microsoft Entra admin center . They are also not applied only to on-premises resources , because Microsoft documents Conditional Access primarily for cloud identities, cloud apps, and cloud-connected resources. Finally, Conditional Access does not require a Microsoft Exchange mailbox. It can be applied broadly across many Microsoft and third-party cloud applications integrated with Microsoft Entra.