How to test Conditional Access policies? -> "What If" 🤔tool

How to test Conditional Access policies? -> "What If" 🤔tool

Introduction

In a previous post we have explored how to create a Conditional Access Policy and have set it to Report Only, so we can observe its potential effects before turning it on. Naturally, we would then use 2 tools provided by Microsoft to assess the impact. One of the tools provided is the "What If" tool which can be used to synthetically simulate a connection and the effects of your CA policies on that connection.

How to use it?

Well, if you navigate to Azure -> Security -> Conditional Access -> Policies, you will see the What If button up top:
Screenshot_95.png

Once in it, you can simulate a specific user connecting to a specific cloud app (or all cloud apps in my case):
Screenshot_97.png

If you have CA Policies that act differently based on the Country or IP address of a connecting session, you can input those as well.
Note! The IP address and Country settings can only be used together, not separately

You can also input settings related to the Device from which such a user might connect, or the device state, or a certain attribute if you use those in you CA policies.

Then you click the magic button down below - "What If", which will reveal the list of CA Policies that will apply to such a session and also the list of CA Policies that will not apply to this session:
Screenshot_98.png

In my specific test, there isn't much to see, only the CA policy created previously, but when things start getting crowded in a proper production environment, and you have upwards of 10-15-20 CA Policies, it can be very useful to check wether a new policy affects certain critical sessions or not.

Conclusion

The What If tool is a useful step in deploying CA Policies, right after creating them and leaving them on Report-Only mode for at least 24h. It can help you test your work without impacting the production. The best part is that - it's free.99, so better get used to using it. Keep close as we'll be covering yet another magnificent tool later down the road that can help you identify issues with CA Policies - the Insights and reporting tool - but this one requires a Log Analytics workspace. Until the next one, don't forget to subscribe to the blog in order to receive updates when new content is available! If you've missed the previous post about creating Conditional Access Policies, you can check it here.