As identity-based attacks grow more sophisticated—like the recent Storm-2372 phishing campaign—IT teams need smarter access control tools to stay ahead. Attackers are evolving, exploiting overlooked authentication flows and policy gaps. That's why I’m excited to spotlight three powerful new enhancements to Microsoft Entra Conditional Access—designed to help admins plan, monitor, and optimize policy rollouts with greater precision and confidence. Each tool brings unique capabilities to ensure your access policies are secure, effective, and resilient:
- General availability: Per-Policy Reporting
- Public preview: What-If Evaluation API
- General availability: Sign-in frequency – every time (session control)
Let’s take a closer look at how each of these features works in action.
Get clear insights with Per-Policy Reporting
Figure 1: View Per-Policy Reporting tool in Conditional AccessAdmins can make smarter decisions when adjusting and optimizing policies by understanding how each Conditional Access policy affects user sign-ins. The new Per-Policy Reporting feature gives admins a clear, policy-by-policy view of how each policy impacts sign-in activity across your organization. This feature allows you to quickly assess the impact of a policy —whether the policy is enabled or in report-only mode with easy-to-understand visualizations. This eliminates the need to dig through complex logs or rely on custom workbooks, which often require additional licenses and have scalability limitations. Since its general availability in April, usage has increased by 475%—a clear sign that admins are finding real value in this tool for monitoring and fine-tuning their policies with confidence.
Preview policy impact with What-If evaluation API
Managing Conditional Access policies isn’t just about reacting—it's also about anticipating. The What-If evaluation API gives admins a powerful way to simulate the effects of Conditional Access policies at scale, before they are enforced. It enables automated testing across numerous sign-in scenarios, helping ensure that policy configurations stay aligned with organizational security requirements. Admins can also simulate uncommon or complex scenarios to design more comprehensive and resilient policies. This API also powers the What-If experience in the Microsoft Entra portal and delivers highly accurate evaluations by using the same authentication logic that mirrors real sign-ins—so what you test is what your users will experience. Since public preview, usage of the API has gone up by 220%, showing how useful the API is for admins to test, fine-tune, and roll out Conditional Access policies with confidence.
See it in action
Let’s explore a scenario of how an organization like Contoso uses the What if Evaluation API tool to confidently roll out a new Conditional Access policy to secure their internal payroll app.
Step 1: Define the policy
Contoso’s identity and access management team wants to secure access to the Contoso Payroll application, which contains sensitive employee data. They decide to:
- Require multifactor authentication (MFA)
- Enforce reauthentication
- Target risky users accessing the app from outside trusted networks
Before enforcing the policy, they configure it in report-only mode to monitor its impact without affecting users.
Step 2: Validate the policy
They configure the policy per their requirements but decide to validate the policy’s impact using the What If portal experience in the Microsoft Entra portal powered by the What If evaluation API. The tool confirms that the reauthentication requirement would apply in the right scenarios.
Figure 2: Validating policy impact using the Conditional Access What-if portal experienceFigure 3: Validating policy impact using the Conditional Access What-if portal experienceStep 3: Automate testing with the API
To go further, the team decides to leverage the API to automate the testing process. They develop a script using the What-If Evaluation API to simulate a wide range of sign-in scenarios, including edge cases that are difficult to test manually, including:
- A user signing in from a region where their organization has no presence.
- A risky user accessing an application from outside of a trusted network.
The API returns results, indicating which policies would apply to each scenario. They schedule the script to run daily, enabling continuous monitoring for any deviations in policy enforcement caused by configuration changes within their tenant.
Figure 4: Graph API explorer illustration using Conditional Access What-if APIStep 4: Review impact and enable the policy
As the policy has been in report-only mode for the past 7 days, the admin uses Per-policy reporting to view Policy Impact. This detailed summary of the number of sign-ins impacted by the policy. They make use of the policy result filter and the sample sign-ins data to confirm that the policy behavior is as expected. Most sign-ins are successful, and only a few would have been blocked—primarily from risky users, which aligns with the intended outcome. Confident that the policy will enhance security without negatively impacting end users, they enable it.
Figure 5: View Per-Policy Impact in Conditional AccessSign-in frequency - every time
In today’s digital environment, organizations often need users to reauthenticate more frequently, especially when accessing sensitive resources or for compliance reasons or performing high-risk actions. This is aligned with one of our core principles of Zero Trust: verifying explicitly. That’s where the Sign-in frequency – every time session control comes in. With this feature, admins can create policies requiring interactive reauthentication for any application or authentication context protected by Conditional Access.
Figure 6: Create a “sign in frequency – every time” policy for sensitive applicationsImagine a scenario where your organization needs to secure sensitive applications, protect resources behind VPN, or safeguard privileged role elevation in Privileged Identity Management (PIM). By implementing the Sign-in frequency – every time session control, you can ensure that users reauthenticate when accessing these critical resources. This added layer of security helps mitigate risks associated with token theft and unauthorized access.
Stay ahead of emerging threats with the Conditional Access Optimization Agent
As attackers continue to evolve, so must our defenses. The new Security Copilot Conditional Access Optimization Agent in Microsoft Entra—now in public preview —is designed to help you stay one step ahead. This AI-powered, autonomous agent continuously monitors your environment for changes like new users or applications, flags gaps in Conditional Access policy coverage, and suggests one-click updates to keep your Zero Trust posture strong.
By proactively surfacing misalignments and recommending opportunities to optimize policies, the agent helps ensure your Conditional Access policies evolve alongside your organization – without requiring manual effort or custom tooling.
Call to action
These enhancements to Conditional Access empower your admins with the tools they need to plan, monitor, and optimize their Conditional Access policies effectively. By leveraging Conditional Access Per-Policy Reporting, the What-If API, and Reauthentication, admins can ensure their policies are secure, effective, and tailored to their organization's needs.
Swaroop Krishnamurthy
Principal Product Manager
Read more on this topic
- Learn more about the Microsoft Entra Conditional Access Optimization agent
- Learn more about Conditional Access Per-policy Reporting
- Learn more about What If Evaluation API
- Learn more about Sign-in frequency- every time session control
- Read more about Conditional Access reauthentication policy scenarios
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft
