A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Testing Conditional Access Policies with What If

I was recently helping out a colleague in implementing and testing some new conditional access policies around Geo Blocking and we wanted to understand if what we had setup was going to work. Traditionally this can be quite difficult depending on your scenarios, however Microsoft have recently introduced What If, so that you can test how your Conditional Access Policies will apply to a particular user.

Getting to What If is easy, go into the Entra admin Center under Protection > Conditional Access > Policies and then clicking on the What If button at the top of the CA policy list. Once the What If blade opens, we can select our User, and if we need our Cloud App. In this case, we’re testing access from a source country, Greece – we also need an IP matching so we’ve filled those in, then clicking the button will evaluate what happens.

In this case, we can see that the user is not a part of the required group so isn’t covered.

This is a powerful tool that allows you to explore your conditional access setup, and whether policies will or will not apply to your users or workloads without impacting BAU operatios.

Leave a Reply

More Posts

Installing the PowerShell ISE (Integrated Scripting Environment) on Windows Server 2008 R2

I was recently looking at modifying our SharePoint warm-up script as we had found out that it wasn’t working as it should be.  So I went to fire up the small but useful PowerShell ISE and found that it wasn’t available.  So there are two ways to go about getting it installed. First off is […]

Adventures with setting up RDS RemoteApp and Web Access in Windows Server 2012 R2

So I was recently setting up a demo environment in Azure with two servers.  Our goal was to have Remote Web Access and then publish RemoteApps through that so we could give live demos.  The process to setup Remote Desktop Services is much easier in Server 2012 / 2012 R2 thanks to the Add Remove […]

How to Reset a Domain Controller’s Domain Admin password for a Virtual Machine running up in Azure

The Reset password utility for Virtual Machines has come in handy on the odd occasion when we never recorded or misplaced the password for a VM running in Azure. The downside is this tool does not support running against Domain Controllers (to reset the in-built Administrator account).  So what happens when you have a domain […]