A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Testing Conditional Access Policies with What If

I was recently helping out a colleague in implementing and testing some new conditional access policies around Geo Blocking and we wanted to understand if what we had setup was going to work. Traditionally this can be quite difficult depending on your scenarios, however Microsoft have recently introduced What If, so that you can test how your Conditional Access Policies will apply to a particular user.

Getting to What If is easy, go into the Entra admin Center under Protection > Conditional Access > Policies and then clicking on the What If button at the top of the CA policy list. Once the What If blade opens, we can select our User, and if we need our Cloud App. In this case, we’re testing access from a source country, Greece – we also need an IP matching so we’ve filled those in, then clicking the button will evaluate what happens.

In this case, we can see that the user is not a part of the required group so isn’t covered.

This is a powerful tool that allows you to explore your conditional access setup, and whether policies will or will not apply to your users or workloads without impacting BAU operatios.

Leave a Reply

More Posts

Deploying printers via Group Policy and getting them pushed out the right way as well as solving driver installation issues (0x80070bcb Specified printer driver was not found and needs to be downloaded)

So we recently upgraded our printing infrastructure with a whole new lot of printers and software (along with a shiny new version of PaperCut MF) and have implemented a global queue or better known as Follow Me Printing.  So how do we go about pushing out all the new global printers to our users.  Well […]

How to reset the Search Index in Exchange 2010 Search

Exchange 2010 has a built in search feature which allows you to quickly search for emails in your mailbox using Outlook (when Online), OWA, Exchange ActiveSync etc. Exchange 2010 search indexes items as soon as they are received by the Mailbox Database. So if you’ve just transitioned from Exchange 2003 to 2010, Exchange may not […]

AWS and Windows Activation

Quick one today where I was on a client server hosted in AWS that wasn’t activated. Trying to activate it via Settings App throws and error. Like most large scale cloud vendors (except Azure), AWS use KMS to activate their windows machines, however sometimes the servers need some help to reach the internal KMS servers […]