Microsoft Entra ID Conditional Access: Complete SC-300 Exam Guide
Conditional Access is the most heavily tested topic in SC-300. This guide covers every policy component, common configurations, troubleshooting, and the exact exam scenarios you need to master.
Exam Weight Alert
Conditional Access questions appear in the Authentication domain (25% of the exam) AND in Identity Governance scenarios. Expect 8–12 CA-related questions on your SC-300 exam. This is the single most important topic to master.
What is Conditional Access?
Conditional Access (CA) is Microsoft's Zero Trust policy engine for Microsoft Entra ID. It evaluates signals (who is the user, what app are they accessing, where are they, what device are they using, what risk is associated with this sign-in) and makes access decisions (allow, block, or allow with conditions).
Think of it as an if-then statement: IF a user matches certain conditions, THEN enforce certain controls.
// Conceptual CA policy logic
IF (user = Finance group)
AND (app = QuickBooks)
AND (device is NOT compliant)
THEN (block access)
CA requires Microsoft Entra ID P1 license (minimum). Some features like risk-based CA require P2. The exam tests both P1 and P2 scenarios — know which features require P2.
Requires P1
- • MFA grant control
- • Compliant device requirement
- • Approved client app
- • Named locations
- • Device platform conditions
Requires P2
- • Sign-in risk condition
- • User risk condition
- • Require password change grant
- • Insider risk condition
- • Authentication context
Anatomy of a CA Policy
Every Conditional Access policy has three parts: Assignments (who and what the policy applies to), Conditions (additional signals to evaluate), and Access Controls (what to do when the policy matches).
Part 1: Assignments
Users / Groups
- • All users (risky — always exclude emergency accounts)
- • Specific users or groups (include or exclude)
- • Directory roles (e.g., all Global Admins)
- • Guest / external users
- • Workload identities (service principals)
Cloud Apps / Actions
- • All cloud apps
- • Select apps (Office 365, specific SaaS apps)
- • Exclude apps from the policy
- • User actions (register security info, register device)
Part 2: Conditions (Optional signals)
User risk
Low / Medium / High — based on Identity Protection ML analysis of account compromise signals
Sign-in risk
Low / Medium / High / Real-time — based on anomalous sign-in signals
Device platforms
Android, iOS, Windows, macOS, Linux — target specific OS types
Locations
Named locations (IP ranges, countries) — include or exclude
Client apps
Browser, mobile app, desktop client, Exchange ActiveSync, legacy auth clients
Filter for devices
Target specific device attributes like compliance state, join type, OS version
Grant Controls
Grant controls determine what the user must do to gain access. You can require ALL controls (AND logic) or ANY of the controls (OR logic).
| Grant Control | What It Does | License |
|---|---|---|
| Block access | Completely denies access. No override possible for the matched user. | P1 |
| Require MFA | User must complete multi-factor authentication before accessing the app. | P1 |
| Require compliant device | Device must be enrolled in Intune and meet all compliance policies. | P1 |
| Require Entra AD joined device | Device must be Entra AD joined (formerly Azure AD joined). Does not require compliance. | P1 |
| Require approved client app | App must be on Microsoft's approved client app list (e.g., Outlook, Teams, Edge). | P1 |
| Require app protection policy | Intune app protection policy must be applied to the client app. Good for BYOD. | P1 |
| Require password change | Used with user risk — forces the user to change their password before accessing the app. | P2 |
| Require authentication strength | Specify the minimum authentication method strength (e.g., phishing-resistant MFA for admins). | P1 |
Session Controls
Session controls limit what a user can do within an app session after they've been granted access. They work in conjunction with Microsoft Defender for Cloud Apps (MDCA) for advanced controls.
Sign-in frequency
Forces re-authentication after a set period (e.g., every 4 hours for sensitive apps). Overrides browser token persistence.
Persistent browser session
Controls whether the browser shows "Stay signed in?" — can be forced to "Never persistent" for shared or unmanaged devices.
App enforced restrictions
Passes device compliance/domain-joined information to SharePoint Online and Exchange Online to enforce limited experience for unmanaged devices (read-only, no download).
Conditional Access App Control (MDCA)
Routes traffic through Defender for Cloud Apps proxy for real-time session monitoring, blocking downloads, preventing copy/paste of sensitive data.
Disable resilience defaults
By default, Entra ID can allow access during outages based on cached policy. This control disables that fallback for high-security scenarios.
6 Common CA Policy Configurations (Exam Favorites)
Require MFA for All Admins
Assignments: All users in admin directory roles. Apps: All cloud apps. Grant: Require MFA. This is Microsoft's most recommended baseline policy.
Block Legacy Authentication
Assignments: All users. Apps: All cloud apps. Conditions: Client apps = Exchange ActiveSync + Other clients. Grant: Block access. Legacy auth cannot support MFA — block it entirely.
Require Compliant Device for Sensitive Apps
Assignments: All users (or specific groups). Apps: Select high-sensitivity apps (e.g., HR system). Conditions: none. Grant: Require compliant device.
Risk-Based MFA (Identity Protection)
Assignments: All users. Apps: All cloud apps. Conditions: Sign-in risk = Medium or High. Grant: Require MFA. Triggers MFA only when Entra ID detects anomalous behavior.
Location-Based Access
Block access from countries where your org doesn't operate. Conditions: Locations = Include all countries, Exclude allowed countries. Grant: Block access.
Require Phishing-Resistant MFA for Admins
Assignments: Admin roles. Apps: All cloud apps. Grant: Require authentication strength = Phishing-resistant MFA. Requires FIDO2 key or Windows Hello.
Troubleshooting CA Policies
The exam frequently presents troubleshooting scenarios. Know these tools:
What If Tool
Simulates which CA policies would apply to a specific user signing in to a specific app from a specific location/device. Use this to test policies before enabling them and to diagnose why a user is being blocked or not getting the expected controls applied.
Sign-in Logs
Every sign-in event in Entra ID shows which CA policies were evaluated, which policies applied, and whether they succeeded or were interrupted. The "Conditional Access" tab in sign-in logs shows policy details and the specific failure reason (e.g., device not compliant, MFA not completed).
Emergency Access (Break-Glass) Accounts
Always exclude at least one emergency access account from all CA policies. If all Global Admin accounts are locked out by a misconfigured CA policy, you need a break-glass account to recover. The exam may test whether you know to exclude these accounts when deploying "All users" policies.
High-Frequency Exam Scenarios
Scenario: BYOD Users Accessing Email
Solution: Require app protection policy (Intune MAM without enrollment) or approved client app — not compliant device, because BYOD devices may not be enrolled.
Scenario: Contractors Need Limited SharePoint Access
Solution: Use "App enforced restrictions" session control — gives SharePoint the signal to serve a limited (read-only, no-download) experience to unmanaged devices.
Scenario: Block Access from High-Risk Countries
Solution: Create Named Locations for blocked countries, create CA policy with those locations included, grant control = Block access.
Scenario: MFA Not Needed on Corporate Network
Solution: Create Named Location for corporate IP range, mark it as trusted. Create CA MFA policy excluding the trusted location. Users on corporate network skip MFA.
Scenario: Admins Must Use FIDO2 Keys
Solution: Create CA policy targeting admin directory roles, require Authentication Strength = Phishing-resistant MFA. This enforces FIDO2, Windows Hello, or certificate-based auth.
Practice SC-300 Conditional Access Questions
500 questions with heavy CA coverage — scenario-based, just like the real exam.
Start Free Practice →