I was recently helping out a colleague in implementing and testing some new conditional access policies around Geo Blocking and we wanted to understand if what we had setup was going to work. Traditionally this can be quite difficult depending on your scenarios, however Microsoft have recently introduced What If, so that you can test how your Conditional Access Policies will apply to a particular user.
Getting to What If is easy, go into the Entra admin Center under Protection > Conditional Access > Policies and then clicking on the What If button at the top of the CA policy list. Once the What If blade opens, we can select our User, and if we need our Cloud App. In this case, we’re testing access from a source country, Greece – we also need an IP matching so we’ve filled those in, then clicking the button will evaluate what happens.

In this case, we can see that the user is not a part of the required group so isn’t covered.
This is a powerful tool that allows you to explore your conditional access setup, and whether policies will or will not apply to your users or workloads without impacting BAU operatios.
Leave a Reply