Azure Active Directory (AAD) Conditional Access is the axe, gatekeeper, bouncer, and first line of defense to accessing your cloud information systems and network. Other products within Microsoft's Enterprise Mobility + Security (EM+S) license are very important for your overall security and compliance strategy (especially for NIST 800-171), but the Conditional Access can thwart many of your existing threats before they get an attempt to authenticate. Conditional Access can be configured to align with NIST 800-171 Control Family 3.5 and 3.13. As it states in 3.13, you can "protect the authenticity of communications sessions" in part by practicing: "deny all, permit by exception". Conditional Access defines what are the exceptions.
You can create separate CA policies for privileged and non-privileged accounts based upon several conditions: sign-in risk (calculated by Microsoft), device platform (Windows, iOS, Android, etc), device state (managed or unmanaged), and locations (where is someone logging in from). Once an attempt to access a cloud application is made and one of these conditions or criteria are not met, the access can be flat-out denied. It's also possible to force that user to go through another Multi-factor Authentication or reset their password immediately.
Here is a sampling of Conditional Access in action. Bring down the axe!
Restricting MFA with Conditional Access for NIST 800-171 Compliance