L2. Conditional Access Policies
Course outlineLesson 2 of 18
Conditional Access is the AZ-500 exam's most tested identity topic. Learn named locations, sign-in risk, MFA enforcement, and the policy evaluation order that determines whether access is granted or blocked.
What Is Conditional Access?
Conditional Access is Entra ID's policy engine that sits between identity verification and resource access. It evaluates signals including user identity, device state, location, and risk score, then enforces controls like requiring MFA, blocking access, or requiring a compliant device.
Think of it as an if/then policy: if these conditions match then enforce these controls.
Policy Anatomy
Every Conditional Access policy has three parts: Assignments cover who and what the policy applies to:
- Users and groups (include/exclude)
- Cloud apps or actions
- Conditions: sign-in risk, user risk, device platform, locations, client apps
- Grant: block access, require MFA, require compliant device, require hybrid Entra joined device
- Session: limit session duration, block download in Defender for Cloud Apps
Named Locations
Named locations let you define trusted IP ranges or countries. Common exam pattern: create a named location for your corporate IP range, then create a policy that blocks sign-ins from outside that location unless MFA is satisfied. Exam trap: Named locations marked "trusted" reduce risk scores in Identity Protection. Marking an office IP range as trusted means sign-ins from that IP get a lower risk score.
Sign-in Risk vs User Risk
| Signal | Source | What It Measures |
|---|---|---|
| Sign-in risk | Real-time ML | Is this specific sign-in suspicious? |
| User risk | Aggregated ML | Has this account been compromised over time? |
Policy Evaluation Order
All matching policies are evaluated: there is no first-match-wins. If any matching policy blocks access, the user is blocked. Controls from grant policies are combined with AND logic by default, meaning the user must satisfy all controls. Exam tip: Exclusions are the only way to exempt a user from a policy. The Report-only mode lets you audit what a policy would do without enforcing it: use it before enabling new policies.
- ✓CA policy = Assignments (who/what/conditions) + Access Controls (grant/session)
- ✓Named locations marked "trusted" lower the Identity Protection risk score for those IPs
- ✓Sign-in risk = real-time per-session signal; User risk = aggregated account compromise signal
- ✓All matching policies evaluate: no first-match-wins. Any blocking policy blocks the user
- ✓Report-only mode audits policy impact without enforcement: use before enabling new policies
- ✓Exclusions (not conditions) are the only way to exempt a specific user from a policy
1. A Conditional Access policy is set to 'Report-only' mode. What happens when a user triggers the policy conditions?
2. Which sign-in risk level is calculated in real time using Microsoft's threat intelligence and machine learning?
3. You want to exclude break-glass accounts from all Conditional Access policies. What is the correct approach?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.