Does this simulator connect to my tenant?

No. It is a standalone educational tool with no Azure connection and no authentication required.

What conditions can I simulate?

User/group, application, device platform, compliance state, network location, sign-in risk level, and user risk level.

Why simulate before deploying?

Misconfigured CA policies can lock out users or admins. Simulation helps identify unintended exclusions and blocks before going live.

Yes, completely free. One of 46 free tools at jasperbernaers.com.

Conditional Access Policy Simulator

██████╗ █████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██╗ ██╗ ██╔════╝ ██╔══██╗ ██╔══██╗ ██╔═══██╗ ██║ ██║ ██╔════╝ ╚██╗ ██╔╝ ██║ ███████║ ██████╔╝ ██║ ██║ ██║ ██║ ██║ ╚████╔╝ ██║ ██╔══██║ ██╔═══╝ ██║ ██║ ██║ ██║ ██║ ╚██╔╝ ╚██████╗ ██║ ██║ ██║ ╚██████╔╝ ███████╗ ██║ ╚██████╗ ██║ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═════╝ ╚═╝

CA Policy Simulator

Logic-tree visualizer · Zero Trust · Entra ID Testing

▸ Assignment Variables

User Type Location Device State Client App

▸ Evaluation Log

admin@entra-id:~$ test-policy --verbose

Final Access Decision

Result

---

Controls Applied

---

Matching Policies

Policy Evaluation Tree

Frequently Asked Questions — Conditional Access Policy Simulator

What is a Conditional Access Policy Simulator?

The Conditional Access Policy Simulator lets you model Microsoft Entra ID Conditional Access policies without applying them to your live tenant. Configure conditions (user role, device compliance, location, sign-in risk) and define grant controls (block, MFA, compliant device), then instantly see the outcome — allowed, blocked, or granted with conditions. Perfect for testing policies safely before deployment.

What is Conditional Access in Microsoft Entra ID?

Conditional Access is a Zero Trust security policy engine in Microsoft Entra ID (formerly Azure AD). It evaluates access signals in real-time — user identity, device state, location, application, and sign-in risk — then enforces controls (MFA, device compliance, blocking) before granting access to cloud applications and resources. Essential for modern identity security.

Does this simulator connect to my Azure or Entra ID tenant?

No connection to any tenant. This is a standalone educational simulation tool. It does not require authentication, does not connect to any Azure subscription or Entra ID tenant, and does not read or modify any real policies in your environment. Perfect for learning and testing policies safely offline.

What Conditional Access conditions can I simulate?

The simulator supports: user and group membership, application targets, device platforms (Windows, macOS, iOS, Android), device compliance status, network location (named locations, trusted IPs), sign-in risk levels (None, Low, Medium, High), and user risk levels. Combine these conditions to test complex policy scenarios.

What grant controls can I configure?

Available grant controls include: block access, require MFA (multi-factor authentication), require compliant device, require Entra ID hybrid joined device, require approved client app, and require terms of use acceptance. Build sophisticated access policies by combining multiple controls for layered security.

Why should I test Conditional Access before deploying?

Misconfigured Conditional Access policies can catastrophically lock out users or admins — including Global Administrators. Using a simulator helps identify unintended exclusions, overly broad blocks, and MFA gaps before going live. Microsoft recommends testing in Report-Only mode first, then using a simulator like this one for pre-deployment validation.

How do I transition from testing to production deployment?

Use this simulator to validate policy logic. Then in your actual Entra ID tenant: (1) Create the policy, (2) Set to Report-Only mode first, (3) Monitor for 1–2 weeks without blocking, (4) Review logs and impact analysis, (5) Switch to Enabled status. Test in Report-Only before enabling to catch issues safely.

Can I test exclusions and exception scenarios?

Yes. Test how different user types, device states, and network locations are treated. Common scenarios: emergency admin access, guest user access, service account behavior, trusted network vs. untrusted network access. Use the simulator to verify your exclusion logic works correctly.

What are best practices for Conditional Access policies?

Best practices: (1) Always test in Report-Only mode first, (2) Exclude emergency access break-glass accounts, (3) Use named locations to manage location-based rules, (4) Require MFA for high-risk scenarios, (5) Monitor regularly, (6) Maintain clear documentation of policy intent. Use this simulator for safe pre-deployment testing.

Is the Conditional Access simulator free?

Yes, completely free. One of 52 free tools available at jasperbernaers.com. No account required, no Azure subscription needed, no limits — safe testing ground for Entra ID Conditional Access policy logic.