DEV Community

Cover image for Microsoft-Entra-Management-Tasks: Perform basic Conditional Access policy tasks
okunola babatunde
okunola babatunde

Posted on

Microsoft-Entra-Management-Tasks: Perform basic Conditional Access policy tasks

Introduction

Modern organizations rely on secure access to cloud applications, but not every sign‑in should be treated equally. Microsoft Entra Conditional Access provides administrators with intelligent controls to decide who can access what, when, and under which conditions.
In this exercise, you’ll learn how to create and configure a simple Conditional Access policy that blocks a specific user from accessing a chosen app — in this case, Sway — and then test the policy using the What If analysis tool. This hands‑on lab demonstrates how Conditional Access strengthens identity protection and enforces compliance without disrupting productivity.

Exercise - Perform basic Conditional Access policy tasks

In this exercise you will learn to create and configure a Conditional Access policy and test its results with the What If analysis tool.

Task 1 - Review a Conditional Access policy

  1. Open the Microsoft Entra admin center at https://entra.microsoft.com. sture
  2. Log in using the credentials for your tenant. sture
  3. From the menu on the left, select Protection submenu and then select Conditional access. great
  4. Review the information provided on the Conditional Access Overview page. Note - You can see how many policies you have enabled, and how many users who have logged in recently that are not covered by a policy; along with other details. stelth
  5. Select the + Create new policy from the top menu. new policy
  6. In the Name box enter Block Bhogeswar from using Sway. bogos
  7. In the Assignments section select 0 users and groups selected text. group
  8. In the Include section mark the Select users and groups item. group
  9. Put a mark in the Users and groups box. ree
  10. When the list of users and groups opens, select Bhogeswar Kalita from the list. kalita
  11. Use the Select button to add the user. dear
  12. Select the word Exclude to switch tabs. liure
  13. Put a mark in the Users and groups box. reew
  14. When the list of users ang groups opens, select the admin user you are using from the list.
  15. Use the Select button to exclude this user. reach *Lab tip *- We have added a user for this policy and we have added an exclude for our admin, to make sure they are not accidentally locked out by a policy change.
  16. Find the section Target resources section. rrrr
  17. Select the No target resources selected text from this section. wwwws
  18. Make sure Resources (formerly cloud apps) is chosen in the dropdown. sewrd
  19. In the section titled Select chose the word None. none
  20. When the resource selection dialog opens, enter Sway into the search bar. sway
  21. Put a check in the box next to Sway then use the Select button to approve the choice. sway
  22. Open and review the Network section, but we are not going to use that for this lab. network
  23. Open and review the Conditions section, but we are not using it for this lab. dadds Lab tip - Network and Conditions are powerful options in the Conditional Access policy, but they are not required for this simple policy to block access to an app. You would use them if you wanted to do things like restrict access for user working from a specific location, or block access if a user has show risky behavior. There are many granular options that you can choose from, or even combine together.
  24. Find the section titled Access controls. dree
  25. Under the word Grant select the text 0 controls selected. imade
  26. When the Grant dialog opens, select the Block access item. Use the Select button to accept the change. rewe
  27. Use the Select button to accept the change. drea

Lab tip - You have not set the values needed to create a simple block access policy to the Sway app for Bhogeswar. In the Access controls section, we could have allowed access with specific conditions like MFA or a domain joined device.

  1. At the bottom of the Conditional Access interface, find the Enable policy item. dear
  2. Set the value to On. likuh
  3. Select the Create button. select *Lab tip *- You have three options to pick from, and you can change value at any time, without having to change the policy.

On = enables the policy to run
Off = turn the policy off in case you need to modify it.
Report-only = use this option to review the outcome of the policy before you fully turn it on.
Note: blocked policy is on and there by the access is granted
hytfd

Task 2 - Perform a What If analysis for a conditional access policy

  1. Open the Microsoft Entra admin center at https://entra.microsoft.com. sture
  2. Log in using the credentials for your tenant. sture
  3. From the menu on the left, select Protection submenu and then select Conditional access. conditional
  4. From the Conditional access screen select the** What if** option from the top menu. what if
  5. In the section User or Workload identity select the text No user or service principal selected. no user
  6. Make sure the circle next to User is marked.
  7. Select the text No user selected. Note: steps 5,6 and 7, the user in has been preselected and hence option to seclect "No user selected" is not found in my microsoft entra identity dashboard.
  8. From the Users list, put a mark next to Bhogeswar Kalita, then use the Select button. grest
  9. In the Cloud apps, actions, or authentication context, select the text Any cloud app. cloud app
  10. When the Select target type dialog opens, confirm that Cloud apps is chosen in the dropdown. great
  11. + Select Cloud App sway
  12. Use the search to find the Sway app, then use the Select botton to finalize. sweet
  13. Scroll down to the bottom of the What If tool. great
  14. Select the button What If. htrgad *Note *- the results appear off the bottom of the screen, so you will need to scroll down again. 15.You should see the Block Bhogeswar from using Sway policy listed, and it is blocking access. swap

Subtask 1 - Try a different app in the What If analysis

  1. Scroll back to the top of the What If tool.
  2. In the Cloud apps, actions, or authentication context, select the text 1 app selected.

  3. Select the elipsis ... next to Sway and choose Remove.

  4. Select the text None to pick a new app.

  5. Search for Office 365 and choose it from the list, then use the
    swear

  6. Select button.
    read

  7. Scroll down to the bottom again.
    gtr

  8. Select the What If button.
    what if button
    Note: Steps 3 and 4 are not in my account platform, hence I skipped to step 5 and others to continue with the rest of the assignment.

Summary

During this exercise, you:

  • Opened the Microsoft Entra admin center and navigated to Protection → Conditional Access.

  • Created a new policy named “Block Bhogeswar from using Sway.”

  • Assigned the policy to a specific user (Bhogeswar Kalita) while excluding the admin account to prevent lockout.

  • Selected Sway as the target resource (cloud app) for the policy.

  • Configured Access controls → Grant → Block access to deny sign‑in attempts.

  • Enabled the policy and reviewed the three operational modes: On, Off, and Report‑only.

  • Used the What If analysis tool to simulate sign‑in scenarios and confirm that the policy correctly blocked access to Sway but not to other apps like Office 365.

This workflow, illustrates how Conditional Access evaluates signals such as user identity, app, and context to enforce real‑time access decisions.

Conclusion

Conditional Access is the cornerstone of Zero Trust security in Microsoft Entra ID. By defining precise conditions and controls, administrators can ensure that only trusted users and devices access corporate resources.
The What If tool provides a safe environment to test policies before deployment, helping prevent accidental lockouts and ensuring that access rules behave as intended.
Through this exercise, you’ve seen how a simple policy can effectively block unauthorized access while maintaining flexibility for legitimate users.

Takeaway Points

  • Conditional Access policies allow fine‑grained control over user access to cloud apps.

  • Always exclude admin accounts from restrictive policies to avoid lockouts.

  • Use Report‑only mode or the What If tool to test policies before enabling them.

  • Combine Access controls with Conditions (location, device, risk) for advanced protection.

  • Conditional Access is a key component of a Zero Trust architecture, balancing security and usability.

Top comments (0)