How do multiple Conditional Access policies interact?

All applicable policies are evaluated for every sign-in — there is no priority ordering or first-match behavior. If any policy blocks access, the sign-in is blocked regardless of other policies that might grant access. If multiple policies grant access with different controls, all controls must be satisfied (AND logic). For example, if one policy requires MFA and another requires a compliant device, the user must satisfy both. This means a single overly broad block policy can override all grant policies, so test carefully using report-only mode before enforcement.

What is report-only mode?

Report-only mode lets you evaluate the impact of a Conditional Access policy without enforcing it. Sign-in logs show what the policy would have done (grant, block, require MFA) without actually affecting the user. This is essential for testing new policies in production before enabling enforcement. Review the sign-in logs for several days to identify any unintended blocks or gaps before switching to on mode. You can have up to 20 policies in report-only mode simultaneously.

Conditional Access Policy Builder

IAM & SecurityAzure

Build Entra ID Conditional Access policies with MFA, risk, and session controls.

Conditional Access Policy Configuration

Display Name

State

Include Users (comma-separated)

Exclude Users (comma-separated)

Include Applications

Exclude Applications

Client App Types

browser mobileAppsAndDesktopClients exchangeActiveSync other

Grant Controls

Sign-in Frequency (optional)

Frequency Type

Persistent Browser

Generated Conditional Access Policy

Output will appear here...

About This Tool

Microsoft Entra ID Conditional Access policies are the decision engine for Zero Trust security, evaluating signals like user identity, device state, location, application, and real-time risk to decide whether to grant, block, or require additional verification for access requests. Policies combine conditions (who, what, where, device state, risk level) with access controls (block, grant with MFA, require compliant device, app protection policy, sign-in frequency). The Conditional Access Policy Builder helps you construct policies with the correct condition combinations and grant controls for common security scenarios.

When to Use This Tool

•Building policies that require MFA for all users accessing Office 365 from outside the corporate network
•Creating risk-based policies that block sign-ins flagged as high risk and require MFA for medium-risk sign-ins
•Defining device-compliance policies that only allow access from Intune-enrolled devices for sensitive applications
•Configuring session controls that limit browser session duration and block persistent cookies for external users

Frequently Asked Questions

How do multiple Conditional Access policies interact?: All applicable policies are evaluated for every sign-in — there is no priority ordering or first-match behavior. If any policy blocks access, the sign-in is blocked regardless of other policies that might grant access. If multiple policies grant access with different controls, all controls must be satisfied (AND logic). For example, if one policy requires MFA and another requires a compliant device, the user must satisfy both. This means a single overly broad block policy can override all grant policies, so test carefully using report-only mode before enforcement.
What is report-only mode?: Report-only mode lets you evaluate the impact of a Conditional Access policy without enforcing it. Sign-in logs show what the policy would have done (grant, block, require MFA) without actually affecting the user. This is essential for testing new policies in production before enabling enforcement. Review the sign-in logs for several days to identify any unintended blocks or gaps before switching to on mode. You can have up to 20 policies in report-only mode simultaneously.

Related Learning Guides

Microsoft Entra ID (Azure AD)24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.