![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi Shivakumar Totad,
The definitive way to verify your configuration immediately without disrupting users is to utilize the What If tool within the Microsoft Entra admin center. This diagnostic utility allows you to simulate a sign-in event based on the conditions you configured, such as user identity, IP location, or device state, to predict exactly which policies will trigger. You can access this by navigating to Protection > Conditional Access > Policies and selecting What If from the top command bar.
Inside the tool, select a test user included in your policy's scope and specify the cloud app you are targeting. Upon running the evaluation, the tool will generate a report separated into "Policies that will apply" and "Policies that will not apply." You need to confirm that your new policy appears in the "Policies that will apply" list and, crucially, that the Grant Controls details confirm "Require multi-factor authentication" is the enforced action. If the policy appears under "Policies that will not apply," the tool will provide the specific condition (e.g., location or device platform) that caused the mismatch, allowing you to troubleshoot the assignment logic.
For validation against live traffic without risking a lockout, you should initially set the policy state to Report-only. This mode evaluates the policy during actual sign-ins but does not enforce it. You can then audit the results by going to Identity > Monitoring & health > Sign-in logs. Select a specific sign-in event, click the Conditional Access tab, and review the "Report-only" section to verify that your policy result shows "Success" (meaning it would have required MFA). This confirms the policy scope is correct before you flip the toggle to On.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
VP