在条件访问中使用 What If 工具进行故障排除Troubleshoot using the What If tool in Conditional Access

条件访问是 Azure Active Directory (Azure AD) 中的一项功能,用于控制已获授权的用户访问云应用的方式。Conditional Access is a capability of Azure Active Directory (Azure AD) that enables you to control how authorized users access your cloud apps. 如何知道环境中的条件访问策略会带来什么?How do you know what to expect from the Conditional Access policies in your environment? 若要回答此问题,可以使用“条件访问 What If 工具”。To answer this question, you can use the Conditional Access What If tool.

本文介绍如何使用此工具来测试条件访问策略。This article explains how you can use this tool to test your Conditional Access policies.

作用What it is

通过“条件访问 What If 策略工具”,可了解条件访问策略对环境的影响。The Conditional Access What If policy tool allows you to understand the impact of your Conditional Access policies on your environment. 通过此工具,可以评估模拟的用户登录,而不是通过手动执行多个登录来驱动策略的测试。Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. 该模拟会估计此登录对策略的影响并生成模拟报表。The simulation estimates the impact this sign-in has on your policies and generates a simulation report. 报表不仅列出应用的条件访问策略,还列出经典策略(如果存在)。The report does not only list the applied Conditional Access policies but also classic policies if they exist.

What If 工具提供了一种快速确定适用于特定用户的策略的方法。The What If tool provides a way to quickly determine the policies that apply to a specific user. 如果需要解决问题等,则可以使用此信息。You can use the information, for example, if you need to troubleshoot an issue.

工作原理How it works

在“条件访问 What If 工具”中,首先需要配置想要模拟的登录方案的设置。In the Conditional Access What If tool, you first need to configure the settings of the sign-in scenario you want to simulate. 这些设置包括:These settings include:

  • 想要测试的用户The user you want to test
  • 用户要尝试访问的云应用The cloud apps the user would attempt to access
  • 访问配置的云应用时存在的条件The conditions under which access to the configured cloud apps is performed

下一步,可以启动用于评估设置的模拟运行。As a next step, you can initiate a simulation run that evaluates your settings. 评估运行中仅包含启用的策略。Only policies that are enabled are part of an evaluation run.

完成评估后,此工具将生成一份受影响策略的报表。When the evaluation has finished, the tool generates a report of the affected policies.

运行此工具Running the tool

可以在 Azure 门户中的“条件访问 - 策略”页上找到 What If 工具。You can find the What If tool on the Conditional Access - Policies page in the Azure portal.

若要启动此工具,请在策略列表顶部的工具栏中单击 What IfTo start the tool, in the toolbar on top of the list of policies, click What If.

Azure 门户中“条件访问 - 策略”页的屏幕截图。在工具栏中,突出显示了“What if”项。

必须先配置设置,才可以运行评估。Before you can run an evaluation, you must configure the settings.


本部分介绍有关模拟运行的设置的信息。This section provides you with information about the settings of simulation run.

Azure门户“What If”页的屏幕截图,其中包含用户、云应用、IP 地址、设备平台、客户端应用和登录风险的字段。


仅可选择一个用户。You can only select one user. 这是唯一的必填字段。This is the only required field.

云应用Cloud apps

此设置的默认值为“所有云应用”。The default for this setting is All cloud apps. 默认设置执行对环境中所有可用策略的评估。The default setting performs an evaluation of all available policies in your environment. 可以将范围缩小到影响特定云应用的策略。You can narrow down the scope to policies affecting specific cloud apps.

IP 地址IP address

IP 地址为单个 IPv4 地址,用于模拟位置条件The IP address is a single IPv4 address to mimic the location condition. 地址表示用户用于登录的设备的面向 Internet 的地址。The address represents Internet facing address of the device used by your user to sign in. 可以通过导航到 What is my IP address(我的 IP 地址是什么)等来验证设备的 IP 地址。You can verify the IP address of a device by, for example, navigating to What is my IP address.

设备平台Device platforms

此设置模拟设备平台条件及表示所有平台(包括不受支持的平台)的等效项。This setting mimics the device platforms condition and represents the equivalent of All platforms (including unsupported).

客户端应用Client apps

此设置模拟客户端应用条件This setting mimics the client apps condition. 默认情况下,此设置会导致对同时选中“浏览器”和“移动应用和桌面客户端”或其中之一的所有策略进行评估。By default, this setting causes an evaluation of all policies having Browser or Mobile apps and desktop clients either individually or both selected. 此外,此设置还检测强制实施“Exchange ActiveSync (EAS)”的策略。It also detects policies that enforce Exchange ActiveSync (EAS). 可以通过选择以下内容缩小此设置的范围:You can narrow this setting down by selecting:

  • 浏览器:评估至少选择了“浏览器”的所有策略。Browser to evaluate all policies having at least Browser selected.
  • 移动应用和桌面客户端:评估至少选择了“移动应用和桌面客户端”的所有策略。Mobile apps and desktop clients to evaluate all policies having at least Mobile apps and desktop clients selected.

登录风险Sign-in risk

此设置模拟登录风险条件This setting mimics the sign-in risk condition.


通过单击 What If 启动评估。You start an evaluation by clicking What If. 评估结果提供包含以下内容的报表:The evaluation result provides you with a report that consists of:


  • 一个指示器,指示环境中是否存在经典策略An indicator whether classic policies exist in your environment
  • 应用于用户的策略Policies that apply to your user
  • 不应用于用户的策略Policies that don't apply to your user

如果对于所选云应用,存在经典策略,则显示一个指示器。If classic policies exist for the selected cloud apps, an indicator is presented to you. 通过单击该指示器,系统会重定向到经典策略页。By clicking the indicator, you are redirected to the classic policies page. 在经典策略页上,可以迁移经典策略或仅禁用该策略。On the classic policies page, you can migrate a classic policy or just disable it. 可以通过关闭此页返回到评估结果。You can return to your evaluation result by closing this page.

在应用于所选用户的策略列表中,还可以找到用户必须满足的授权控制会话控制列表。On the list of policies that apply to your selected user, you can also find a list of grant controls and session controls your user must satisfy.

在不应用于用户的策略列表中,还可以找到不应用这些策略的原因。On the list of policies that don't apply to your user, you can and also find the reasons why these policies don't apply. 对于列出的每条策略,所列原因表示不满足的首要条件。For each listed policy, the reason represents the first condition that was not satisfied. 不应用策略的可能原因是策略被禁用,因为未经过进一步评估。A possible reason for a policy that is not applied is a disabled policy because they are not further evaluated.

后续步骤Next steps