As you Entra ID allows you to protect and enforce access policies when users are accessing resources using Conditional Access (CA) policies.
Conditional Access policies can have 3 state:
- Off: meaning the policy is not being applied
- On: meaning the policy is going to be applied depending of the targeted users/groups/admin roles, applications….
- Report: meaning the policy is not being applied but logs will be saved to allow reviewing the potential impact based on the usage
In most context when implementing a new CA policy, unless being 100% sure, the report mode is going to be used for a bit of time to ensure the policy is not blocking or allowing unexpected access.
The problem with the report mode is does not provides a central view of the results; you have to go to each individual user to look at the Sign in logs or grab the global Monitoring & health\Sign in logs.
Both of them give you the same text based results but no easy way to figure out from the specific Conditional Access.
Well, good news, you can now have a clear and direct potential impact for a specific CA policy directly from the Conditional Access configuration blade.
NOTE you still need to have some data to report, which means you need to configure the new CA policy in Report mode first. I would recommend to set it as Report Only and then use the new capability to review.
To be able to get such information you need to have at least the Security Reader admin role (or any one which includes this role)
To access the CA Policy Impact, connect to your Entra ID portal (https://entra.microsoft.com/) to access the Protection\Conditional Access blade to select the policy you want to get the impact and select the View policy impact tab
As result you can identify the CA result (success, failed, not applied) and users it is being applied to
When you select one of the graph result, you can then see the user(s) and application(s) impacted by the policy
