Cyber Intelligence
PROTEGO
Cloud Security6 min read

Conditional Access Policies: AZ-500 Exam Guide

Conditional Access is the AZ-500 exam's most tested identity topic. Learn named locations, sign-in risk, MFA enforcement, and the policy evaluation order that determines whether access is granted or blocked.

I
Idan Ohayon
Microsoft Cloud Solution Architect
AZ-500Conditional AccessEntra IDMFAZero TrustCertification

What Is Conditional Access?

Conditional Access is Entra ID's policy engine that sits between identity verification and resource access. It evaluates signals including user identity, device state, location, and risk score, then enforces controls like requiring MFA, blocking access, or requiring a compliant device.

Think of it as an if/then policy: if these conditions match then enforce these controls.

Policy Anatomy

Every Conditional Access policy has three parts: Assignments cover who and what the policy applies to:

  • Users and groups (include/exclude)
  • Cloud apps or actions
  • Conditions: sign-in risk, user risk, device platform, locations, client apps
Access Controls define what happens when the policy matches:
  • Grant: block access, require MFA, require compliant device, require hybrid Entra joined device
  • Session: limit session duration, block download in Defender for Cloud Apps

Named Locations

Named locations let you define trusted IP ranges or countries. Common exam pattern: create a named location for your corporate IP range, then create a policy that blocks sign-ins from outside that location unless MFA is satisfied. Exam trap: Named locations marked "trusted" reduce risk scores in Identity Protection. Marking an office IP range as trusted means sign-ins from that IP get a lower risk score.

Sign-in Risk vs User Risk

SignalSourceWhat It Measures
Sign-in riskReal-time MLIs this specific sign-in suspicious?
User riskAggregated MLHas this account been compromised over time?
A policy requiring MFA for medium-plus sign-in risk catches anomalous sessions without blocking the user account. A policy requiring password reset for high user risk handles accounts with leaked credentials.

Policy Evaluation Order

All matching policies are evaluated: there is no first-match-wins. If any matching policy blocks access, the user is blocked. Controls from grant policies are combined with AND logic by default, meaning the user must satisfy all controls. Exam tip: Exclusions are the only way to exempt a user from a policy. The Report-only mode lets you audit what a policy would do without enforcing it: use it before enabling new policies.

N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

☁️
Cloud Security

Microsoft Security Score: How to Actually Improve It (Not Just Game It)

17 min read

☁️
Cloud Security

Microsoft Defender for Identity vs Defender for Endpoint: What They Actually Cover

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us