Conditional Access policies can become abit of a spaghetti nest. Especially when you’re using multiple policies to account for different scenarios. You might want to consider accounting for instances such as
- Type of application
- What cloud application you are trying to access
In the last exercise I focused on, there were 6 different types of conditional access policies and while you think you are accounting for every scenario it helps if you have a tool that can check your logic. I noticed about two weeks ago after waiting for awhile that there was an answer to that hope.
Microsoft released a tool under Conditional Access policies called what if. If you’re a Power Shell user, you’ve no doubt used “what if” in many scenarios. The big one I use it all the time is for mailbox migrations to make sure the verification is working, the connector is healthy and that a mailbox can be found and migrated in its state. This is especially handy for hybrid scenarios because there isn’t a good health indication of your hybrid environment. I’ll have to write something at some point that will give me some health indicators…get that on my to do list.
Conditional Access What if
What if allows you to run use cases against your applied scenarios to make sure your rules are behaving the way they should? Why is this necessary? When creating a conditional access policy you have to make decisions in 5 categories where you have dozens of options to choose from. It’s very easy to overlook something, and something I noticed right away. My policy on countries of origin never seemed to click in.
After troubleshooting this for abit, I did notice there are still some bugs with conditional access. It seems that my Countries of origin was actually working as expected, but What If wasn’t reporting on it correctly. I have a word in with the product group on it.
What if works very simply and allows you to choose some items from your policy, for example
This is probably the poor example of the bug I need to work out with Microsoft, but it does give you a good idea of how What If works. Here I’ve selected a user that wants to see how conditional access will work with all cloud apps from an IP address in Vietnam using a browser in Windows. Basically I want to access my Office 365 portal with IE from Vietnam what happens?
It’s telling me here that it should require MFA. However this is incorrect, it should block me completely based on my rules and when I tested it this I did indeed get blocked
This tool is going to be very useful for testing results, just remember its still in preview. If you want to help them out with bugs, make sure you report them. It’s not fully functional yet.