A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Testing Conditional Access Policies with What If

I was recently helping out a colleague in implementing and testing some new conditional access policies around Geo Blocking and we wanted to understand if what we had setup was going to work. Traditionally this can be quite difficult depending on your scenarios, however Microsoft have recently introduced What If, so that you can test how your Conditional Access Policies will apply to a particular user.

Getting to What If is easy, go into the Entra admin Center under Protection > Conditional Access > Policies and then clicking on the What If button at the top of the CA policy list. Once the What If blade opens, we can select our User, and if we need our Cloud App. In this case, we’re testing access from a source country, Greece – we also need an IP matching so we’ve filled those in, then clicking the button will evaluate what happens.

In this case, we can see that the user is not a part of the required group so isn’t covered.

This is a powerful tool that allows you to explore your conditional access setup, and whether policies will or will not apply to your users or workloads without impacting BAU operatios.

Leave a Reply

More Posts

How to protect all existing Organizational Units (OUs) in your Active Directory domain from Accidental Deletion by using PowerShell

We recently took on a new hire, although I was confident in their ability in managing Active Directory I wanted to take an extra step in protecting Organizational units from deletion.  I was sure that I could do this quickly using PowerShell instead of right-clicking each of our 80 odd OUs and going into their […]

Set a Default Tab for FortiClient EMS

It’s been a while, but I am working on deploying an updated version of FortiClient for and company which is managed via EMS and InTune. One thing that bugs me (and many) is by default, the client UI will load into the Zero Trust Telemetry tab and the option to change the Default tab will […]

Adjust resource mailbox calendar permissions on Exchange 2010/2013 using PowerShell

Quick one today.  By default, when creating a room resource mailbox, Exchange will grant default permissions of AvailabilityOnly for any user (default), if you are after people knowing who has booked a room or resource then you can adjust the permissions to Reviewer. The quickest way to do this is via PowerShell, you can use […]