Microsoft Entra Conditional Access Gets New Policy Enhancement Tools

Microsoft has added new features to its Entra Conditional Access solution that make it easier for IT admins to plan, monitor, and optimize policy rollouts within their organizations. The updates include detailed policy reporting, a simulation API for safe testing, and stricter sign-in controls to help improve security and reduce configuration errors.

Microsoft Entra Conditional Access is a security feature in Microsoft Entra ID that helps organizations control how users access apps and data based on specific conditions. It lets IT admins create policies that evaluate various factors such as user identity, location, device status, and risk level before granting or blocking access. For instance, a policy might require multi-factor authentication if a user signs in from an unfamiliar location or block access entirely from high-risk countries.

Per-Policy Reporting offers clearer insights

The Per-Policy Reporting feature allows IT admins to gain insights into how each Conditional Access policy affects user sign-ins. It helps them monitor and optimize policies with clear visualizations, which eliminates the need for complex logs or custom workbooks.

“This eliminates the need to dig through complex logs or rely on custom workbooks, which often require additional licenses and have scalability limitations. Since its general availability in April, usage has increased by 475%—a clear sign that admins are finding real value in this tool for monitoring and fine-tuning their policies with confidence,” Microsoft explained.

Simulate policies with the What-If Evaluation API

Microsoft has also introduced a new What-If evaluation API that allows IT admins to simulate how Conditional Access policies would apply to specific sign-in scenarios without actually enforcing them. This feature helps administrators test and validate policies before deployment to reduce the risk of unintended access issues. It supports automation to make it easier to evaluate multiple scenarios programmatically.

The What If experience in the Microsoft Entra Portal is powered by the same evaluation API. Since its public preview, usage of the API has jumped by 220%, which shows that it helps administrators confidently test and deploy Conditional Access policies.

Stricter sign-in controls for sensitive access

Last but not least, Microsoft has released a new sign-in frequency – every time session control that forces users to reauthenticate every time they sign in. This control is particularly useful for protecting sensitive applications or data by ensuring that credentials are freshly verified each time. It overrides any existing session tokens to reduce the risk of unauthorized access from hijacked sessions.

Last month, Microsoft launched its new Security Copilot Conditional Access Optimization Agent in Microsoft Entra. It works by analyzing existing policies and user sign-ins to identify gaps, recommend improvements, and suggest consolidations based on Microsoft’s Zero Trust best practices.