What If Tool in Entra ID Conditional Access

We all know that Conditional Access in Entra ID is a powerful one, but it has two sides. On the one hand, it is incredibly strong and can give you power controls like, 

• Decide who can access Microsoft 365 and any services 

• Restrict or allow specific users 

• Set access based on device, app, or location 

And a lot more things. ✅But on the other hand, overusing this power can backfire! Too many restrictions can leave users locked out or constantly interrupted. It can get frustrating fast and impact productivity a lot.  

So, while Conditional Access gives you ultimate control, it’s important to find balance. Before pushing policies into production, every Microsoft 365 admin should test Conditional Access settings carefully to avoid overkill. Use the power wisely and keep things smooth for users! 

How to Test Conditional Access Policies Before Production Deployment? 

Testing Conditional Access policies before going live is not just a good idea - it is a must-have thing to do! 💯These policies pack a punch and can easily lock out legitimate users if not tested properly. Let us dive into some solid ways to do this: 

1. Configure policies in report-only mode: When you turn on this mode, the policy will silently observe user behavior without actually enforcing any restrictions. It is a great way to see who would be allowed and who would be blocked without any real-world impact. 
2. Test with a Pilot Group: Start small! Test your policy on a small group of users to see how it works in practice. This allows you to identify any issues and adjust before rolling it out to everyone. 
3. Manual Testing: This is the toughest method of all! Yes, you need to wear the mask and test the policy manually. Log in from different devices, networks, and locations to see if your restrictions work as expected. This hands-on approach helps you see how your conditions work in real-world scenarios. 
4. Lastly comes the super-powered one. Finally, we have the savior of all testing methods, the What If tool in Microsoft Entra ID. It's a powerful tool provided by Microsoft that lets you simulate different scenarios and see how your policies would affect users.

That's what we'll explore in this blog! Now, let us learn more about the What If tool and the what, how, and when questions that surround it. 

What is the What If Tool in Conditional Access Policies? 

The What If tool in Microsoft Entra ID is a built-in feature that comes with Conditional Access licensing. It allows you to test your Conditional Access policies without requiring actual sign-ins. 

👉It's like a virtual sandbox where you can experiment with different scenarios to see how your policies will affect users. 

How Does It Work? 

1. Preview the expected: You can preview which Conditional Access policies will apply to a specific user, what conditions they’ll need to meet, and why certain policies won’t apply, all in one detailed view. 
2. Simulate Sign-ins: Simply input a username, set up a test scenario, and see how the user would respond to that policy. 
3. Evaluate Policies: The tool estimates how your policies will handle simulated sign-in and generate a report. It’s even smart enough to evaluate policies in both “On” and “Report-only” modes, too! 

Why Use It? 

By using the What If tool, you can: 

• See if your policies are working as intended. 
• Spot any problems before they impact real users. 
• Diagnose why users might be experiencing access issues. 
• Fine-tune your policies to ensure a smooth user experience. 

How to Use the Conditional Access What If Tool? 

Now that we’ve seen what the What If tool is and its benefits, let’s dive into how to use it. 

1. Open the Microsoft Entra admin center. 
2. Go to the ‘Protection’ dropdown and select Conditional Access. 
3. In the Conditional Access area, go to the ‘Policies’ section. 
4. At the top bar, you’ll see the ‘What If’ button with a user icon - click it. 

5. Using the Tool: 

A) On the What If page, enter the username you want to test.  

B) You can also add more specific conditions like location, device, or app to simulate different scenarios. 

C) Note: While specific guest user testing isn’t available, you can test policies based on different external user types. 

D) Click the What If button to start the simulation. 

And that’s it! The What If tool will provide insights into how your Conditional Access policies would impact the selected user under various conditions. The report will answer for questions like, 

• Which policies would apply to the user? 

• What conditions would the user need to meet to gain access? 

• Why would certain policies deny access? 

Let's look at the report in more detail. 

What If Tool Evaluation Result Analysis: 

Now the tool has run, scroll down below the “What If” button to view the evaluation results. The results are divided into two sections:  

Policies that will apply and Policies that will not apply. Here’s what each section means and how to interpret the details: 

Policies That Will Apply:  

This section lists the Conditional Access policies that would be applied to the user or scenario you tested. Here’s what each column represents:  

1. Policy Name: The name of the policy. 
2. Grant Controls: Shows the type of access control, restrictions, or requirements applied by the policy. This could include actions like "Block access" or Require MFA.   
3. Session Controls: This section highlights any specific requirements for user sessions, such as using app-enforced restrictions or limiting sign-in frequency. It also shows any additional controls on session duration or app usage. 
4. State: Indicates whether the policy is active or in report-only mode. 
5. Has Filter: Shows if the policy has specific filters or exclusions, like applying only to certain user groups or devices. "Yes" means there are filters configured, and "No" indicates the policy applies broadly without any specific exclusions.  

Policies That Will Not Apply 

This section lists policies that are configured but won’t impact the selected user or scenario. Each column explains why:

1. Policy Name: Lists the names of policies that won’t apply in this scenario. 
2. Reasons Why This Policy Will Not Apply: The specific reason why the policy isn't triggered is mentioned. 
3. State: Displays the policy’s status. “Off” indicates a disabled policy, while “On” or “Report-only” shows active policies that aren’t triggered due to other factors. 

Together, these insights help you identify any gaps or misconfigurations and clarify why specific policies may not apply to a user or device. 

Now that we understand how the What If tool works, let’s look at a real-world testing scenario to make it even clearer. 

Real-World Scenario: Restrict Access from Foreign Locations 

Let’s say you’ve set up a Conditional Access policy in Microsoft 365 with the following rule: 

• Allow access only from your office location or nearby (within your city). 

• Block access if the login occurs outside your city (an untrusted location). 

But how do you test if this policy works? 🤔Since traveling to another city isn’t practical, here is where the What If tool can help you! 

With the What If tool, you can simulate this scenario to see if your Conditional Access policy will enforce the restrictions as intended: 

1. On the Entra Admin Center, select the What If tool. 
2. Input Conditions: 
3. User or Workload Identity: Since the policy applies to all users, you can choose any user for this test. 
4. IP Address: Enter an IP address from outside your city to simulate an untrusted location. 
5. Country: Select the correct Country of the IP you entered, otherwise, it will not run. 
6. Click What If, and within minutes, you’ll get the evaluation results. 

Interpreting the Results 

Once the evaluation results are out, you’ll want to check if the policy is working as intended. To verify this, look in the "Policies that will apply" section. If your restriction policy appears here, it means the policy will correctly block access for any login attempts from outside the specified location. 

This test lets you confidently enforce location-based restrictions without needing to physically travel, keeping everything efficient and secure! 

Parting Words! 

We learned how to test CA policies while maintaining both security and user productivity. ✅ 

So, before flipping the switch on a new policy, take the time to explore, test, and understand its full impact with the What If tool. It’s the smart, proactive way to get the most out of your Conditional Access setup. 💯Now, ending the blog with a quote of mine, 

Prevention is Better Than Lockout; Test Before You Trust!