Identity is the new security perimeter—and Conditional Access is one of the most critical tools enterprises have to enforce modern, adaptive access control.
In recent months, Microsoft has introduced powerful new enhancements to Microsoft Entra ID, further improving how organizations monitor, test, and enforce Conditional Access policies. These updates include:
- Conditional Access Optimization Agent (Public Preview)
- Conditional Access “What If” Evaluation API (Public Preview)
- Managed Identities as Federated Credentials (General Availability)
Let’s break down what Conditional Access is, how it helps, and how these enhancements improve your identity security posture.
Table of Contents
🔐 What Is Conditional Access?
Conditional Access (CA) is a policy-based security framework in Microsoft Entra ID that automatically enforces access decisions based on real-time signals such as:
- User identity and group membership
- Location (IP, country, trusted network)
- Device state (compliant, hybrid-joined, etc.)
- Application being accessed
- Risk levels (sign-in risk, user risk, etc.)
- Client application (browser, mobile app, legacy auth)
Instead of hardcoded rules or binary access controls, Conditional Access uses dynamic, risk-based evaluations to decide whether to allow, block, or require additional steps like:
- Multi-Factor Authentication (MFA)
- Compliant or hybrid-joined devices
- Terms of use acceptance
- Session controls (e.g., sign-in frequency, app restrictions)
In essence, it helps you strike a balance between security and productivity by enforcing context-aware policies that adapt to changing conditions.
🚨 Why Conditional Access Matters
- Protect against compromised credentials by blocking risky sign-ins or enforcing MFA.
- Secure access to cloud apps like Microsoft 365, Salesforce, or custom applications.
- Comply with regulatory requirements (e.g., GDPR, ISO 27001) by enforcing secure access to sensitive data.
- Automate security posture for different user types: employees, guests (B2B), contractors, and service accounts.
- Reduce attack surface without locking down productivity.
But Conditional Access policies can become complex—especially in large environments with hybrid identities, third-party integrations, and multiple tenants. This is where Microsoft’s recent innovations come in.
🧠 Conditional Access Optimization Agent (Public Preview)
Modern enterprises often assume their Conditional Access policies cover all users and scenarios—but that’s rarely true.
The Conditional Access Optimization Agent is a new diagnostic and recommendation engine from Microsoft that continuously monitors sign-in activity and evaluates which users or applications are not currently protected by any Conditional Access policy.
How it works:
- Analyzes Entra sign-in logs in real time
- Flags users, groups, apps, or scenarios without policy enforcement
- Offers tailored policy recommendations to close those gaps
- Integrates with Security Copilot for contextual AI-driven insights
Example use cases:
- Discover service principals accessing Microsoft Graph with no CA policy
- Identify newly onboarded B2B users not included in your baseline policy
- Detect legacy authentication traffic slipping through unmanaged gaps
Why it matters:
Misconfigured or missing policies can leave significant holes in your Zero Trust strategy. The optimization agent helps ensure comprehensive policy coverage with less manual auditing.
🧪 Conditional Access “What If” Evaluation API (Public Preview)
One of the most awaited capabilities for identity architects and security engineers is the ability to simulate Conditional Access decisions before rollout.
The Conditional Access “What If” Evaluation API lets you programmatically test how policies would apply to a given sign-in scenario, without actually executing the sign-in. This is ideal for CI/CD pipelines, policy troubleshooting, and change management workflows.
API Endpoint:
|
1 2 |
POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate |
Required Microsoft Graph permissions:
- Delegated:
Policy.Read.ConditionalAccess - Application:
Policy.Read.ConditionalAccess
Sample request body:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "signInIdentity": { "userId": "00000000-0000-0000-0000-000000000001" }, "signInContext": { "applicationId": "11111111-1111-1111-1111-111111111111" }, "signInConditions": { "devicePlatform": "windows", "clientApp": "browser", "location": "US", "signInRiskLevel": "medium" }, "appliedPoliciesOnly": true } |
Key features:
- Simulate any identity: user or service principal
- Evaluate specific conditions: device, location, app, risk, etc.
- Understand policy decisions (e.g., require MFA, block access)
- Filter to only show policies that apply
Benefits:
- Eliminate trial-and-error in Conditional Access deployments
- Build automation into policy lifecycle workflows
- Enable safer rollouts with pre-deployment analysis
- Help DevSecOps teams validate access behavior in CI/CD pipelines
Example scenario:
Before onboarding a new group of guest users or enabling legacy app access, you can simulate sign-ins under different conditions to verify how your CA policies would react.
🔑 Managed Identities as Federated Credentials (General Availability)
Secure access between services is often an overlooked risk—especially when secrets, certificates, or hardcoded credentials are used to authenticate workloads.
Microsoft has now made it possible to use managed identities as federated credentials in Microsoft Entra app registrations, enabling secure, secret-less, workload-to-workload authentication.
What’s new:
- You can now register a Managed Identity (User-Assigned) as a federated credential in an Entra application.
- This works within a single tenant or across tenants, removing the need for secrets, client credentials, or key vault integration.
Benefits:
- Simplifies automation and background services that need tokens
- Ideal for multitenant SaaS apps, service mesh workloads, and CI/CD pipelines
- Fully aligned with Microsoft’s passwordless and Zero Trust roadmap
Example use case:
You operate a service in Tenant A that needs to authenticate to a REST API hosted in an Entra app in Tenant B. By federating the managed identity, you allow access without secrets—and with full audit visibility via Entra logs.
🧩 Wrapping Up
Conditional Access is no longer just a gatekeeper—it’s becoming a predictive, intelligent enforcement layer that can monitor, simulate, and optimize itself with minimal manual effort.
Whether you’re a cloud security architect, identity admin, or DevOps engineer, the recent updates to Microsoft Entra ID provide:
✅ Automated policy gap detection with the Optimization Agent
✅ Advanced simulation and testing via the What If API
✅ Simplified, secure app-to-app auth with federated managed identities
These tools enable better security by design, reducing human error while boosting agility. If your organization hasn’t yet explored these new capabilities, now is a great time to integrate them into your Zero Trust strategy.
You can also learn more on Conditional access from my previous post
