Introduction
As organizations embrace cloud-first environments, protecting user identities requires more than just strong passwords. Conditional Access in Microsoft Entra ID enables administrators to make intelligent access decisions based on user identity, device compliance, location, application, and risk, ensuring that only trusted users can access organizational resources under the right conditions.
In this hands-on guide, I'll walk through creating and configuring a Conditional Access policy, targeting specific users and cloud applications, enforcing access controls, and using the What If tool to validate policy behavior before deployment. These practical exercises demonstrate how Conditional Access helps organizations implement Zero Trust principles while minimizing the risk of misconfigured security policies.
Exercise - Perform basic Conditional Access policy tasks
In this exercise you will learn to create and configure a Conditional Access policy and test its results with the What If analysis tool.
This exercise should take approximately 10 minutes to complete.
Task 1 - Review a Conditional Access policy
1.Open the Microsoft Entra admin center at https://entra.microsoft.com.
2.Log in using the credentials for your tenant.
3.From the menu on the left, select Conditional access submenu.
4.Review the information provided on the Conditional Access Overview page.
Note - You can see how many policies you have enabled, and how many users who have logged in recently that are not covered by a policy, along with other details(if you created any).
5.Select the + Create new policy from the top menu.
6.In the Name box enter Block Bhogeswar from using Sway.
7.In the Assignments section select 0 users and agents selected text.
- In the Include section mark the Select users and groups item.
- Put a mark in the Users and groups box.
- When the list of users and groups opens, select Bhogeswar Kalita from the list.
- Use the Select button to add the user.
- Select the word Exclude to switch tabs.
- Put a mark in the Users and groups box.
- When the list of users and groups opens, select the admin user you are using from the list.
- Use the Select button to exclude this user.
Lab tip - We have added a user for this policy and we have added an exclude for our admin, to make sure they are not accidentally locked out by a policy change.
8.Find the section Target resources section.
9.Select the No target resources selected text from this section.
- Make sure Resources (formerly cloud apps) is chosen in the dropdown.
- Put a mark in the Select resources item.
- In the section titled Select choose the word None.
- When the resource selection dialog opens, enter Sway into the search bar.
- Put a check in the box next to Sway then use the Select button to approve the choice.
Lab tip - We have chosen the app Sway to be the resource this policy works on. You could choose multiple apps, or you could even choose to exclude apps.
Notice the name and target resource.
10.Open and review the Network section, but we are not going to use that for this lab.
11.Open and review the Conditions section, but we are not using it for this lab.
Lab tip - Network and Conditions are powerful options in the Conditional Access policy, but they are not required for this simple policy to block access to an app. You would use them if you wanted to do things like restrict access for user working from a specific location, or block access if a user has shown risky behavior. There are many granular options that you can choose from, or even combine together.
12.Find the section titled Access controls.
13.Under the word Grant select the text 0 controls selected.
14.When the Grant dialog opens, select the Block access item.
15.Use the Select button to accept the change.
Lab tip - You have not set the values needed to create a simple block access policy to the Sway app for Bhogeswar. In the Access controls section, we could have allowed access with specific conditions like MFA or a domain joined device.
16.At the bottom of the Conditional Access interface, find the Enable policy item.
17.Set the value to On.
18.Select the Create button.
Lab tip - You have three options to pick from, and you can change value at any time, without having to change the policy.
- On = enables the policy to run
- Off = turn the policy off in case you need to modify it.
- Report-only = use this option to review the outcome of the policy before you fully turn it on.
Task 2 - Perform a What If analysis for a conditional access policy
1.Open the Microsoft Entra admin center at https://entra.microsoft.com.
2.Log in using the credentials for your tenant.
3.From the menu on the left, select Conditional access submenu.
4.From the Conditional access screen select the What if option from the top menu.
5.In the section User or Workload identity select the text No user or service principal selected.
6.Make sure the box next to User is marked.
7.Select the text No user selected or Edit user.
8.From the Users list, put a mark next to Bhogeswar Kalita, then use the Select button.
9.In the Cloud apps, actions, or authentication context, select the text Any cloud app.
10.When the Select target type dialog opens, confirm that Cloud apps is chosen in the dropdown.
11.Click on the + Select cloud app.
12.Use the search to find the Sway app, then use the Select botton to finalize.
13.Scroll down to the bottom of the What If tool.
14.Select the button What If.
Note - the results appear off the bottom of the screen, so you will need to scroll down again.
15.You should see the Block Bhogeswar from using Sway policy listed, and it is blocking access.
16.You have to make selections for Device platform and Client app under sign-in conditions.
Subtask 1 - Try a different app in the What If analysis
1.Scroll back to the top of the What If tool.
2.In the Cloud apps, actions, or authentication context, select delete next to Sway and remove it..
3.Then select select cloud app to pick a new app.
4.Search for Office 365 Reports and choose it from the list, then use the Select button.
5.Scroll down to the bottom again.
6.Select the What If button.
7.You should see that the Block Bhoseswar from using Sway policy did not apply.
Summary
In this article, I demonstrated how to create and configure Conditional Access policies in Microsoft Entra ID, assign policies to specific users and cloud applications, define access controls, and validate policy behavior using the What If analysis tool. By testing policies before enforcement, administrators can confidently implement secure access controls, reduce the risk of unintended user lockouts, and strengthen their organization's identity security posture through a Zero Trust approach.






















Top comments (2)
Thanks for reading! One of the biggest lessons I've learned is to always test Conditional Access policies before broad deployment. Using Report-only mode and the What If tool can help identify unexpected impacts and reduce the risk of accidentally blocking legitimate users, especially administrator accounts.
A good practice is to keep at least one emergency (break-glass) administrator account excluded from Conditional Access policies. This provides a recovery path if a policy is misconfigured and prevents administrators from being locked out of the tenant.