Cyber Intelligence
Identity & Access · 30% of exam

L2. Conditional Access Policies

Course outlineLesson 2 of 18

Conditional Access is the AZ-500 exam's most tested identity topic. Learn named locations, sign-in risk, MFA enforcement, and the policy evaluation order that determines whether access is granted or blocked.

What Is Conditional Access?

Conditional Access is Entra ID's policy engine that sits between identity verification and resource access. It evaluates signals including user identity, device state, location, and risk score, then enforces controls like requiring MFA, blocking access, or requiring a compliant device.

Think of it as an if/then policy: if these conditions match then enforce these controls.

Policy Anatomy

Every Conditional Access policy has three parts: Assignments cover who and what the policy applies to:

  • Users and groups (include/exclude)
  • Cloud apps or actions
  • Conditions: sign-in risk, user risk, device platform, locations, client apps
Access Controls define what happens when the policy matches:
  • Grant: block access, require MFA, require compliant device, require hybrid Entra joined device
  • Session: limit session duration, block download in Defender for Cloud Apps

Named Locations

Named locations let you define trusted IP ranges or countries. Common exam pattern: create a named location for your corporate IP range, then create a policy that blocks sign-ins from outside that location unless MFA is satisfied. Exam trap: Named locations marked "trusted" reduce risk scores in Identity Protection. Marking an office IP range as trusted means sign-ins from that IP get a lower risk score.

Sign-in Risk vs User Risk

SignalSourceWhat It Measures
Sign-in riskReal-time MLIs this specific sign-in suspicious?
User riskAggregated MLHas this account been compromised over time?
A policy requiring MFA for medium-plus sign-in risk catches anomalous sessions without blocking the user account. A policy requiring password reset for high user risk handles accounts with leaked credentials.

Policy Evaluation Order

All matching policies are evaluated: there is no first-match-wins. If any matching policy blocks access, the user is blocked. Controls from grant policies are combined with AND logic by default, meaning the user must satisfy all controls. Exam tip: Exclusions are the only way to exempt a user from a policy. The Report-only mode lets you audit what a policy would do without enforcing it: use it before enabling new policies.

Exam Focus Points
  • CA policy = Assignments (who/what/conditions) + Access Controls (grant/session)
  • Named locations marked "trusted" lower the Identity Protection risk score for those IPs
  • Sign-in risk = real-time per-session signal; User risk = aggregated account compromise signal
  • All matching policies evaluate: no first-match-wins. Any blocking policy blocks the user
  • Report-only mode audits policy impact without enforcement: use before enabling new policies
  • Exclusions (not conditions) are the only way to exempt a specific user from a policy
Knowledge Check

1. A Conditional Access policy is set to 'Report-only' mode. What happens when a user triggers the policy conditions?

2. Which sign-in risk level is calculated in real time using Microsoft's threat intelligence and machine learning?

3. You want to exclude break-glass accounts from all Conditional Access policies. What is the correct approach?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available