The Entra ID (formerly Azure Active Directory) Conditional Access “What If” tool is essential for troubleshooting and validating policy impacts—especially when onboarding or supporting CoreView service accounts and management users.
Why use the “What if” tool?
By leveraging the “What If” tool, you can quickly identify which Conditional Access policies block access to CoreView service accounts:
coreview.reports<randomicnumber>@<onmicrosoft domain>or to our management user:
4ward365.admin@<onmicrosoft domain>You will find the What If tool on the “Policies” page in the Microsoft Entra admin center.
How to use the What If tool:
Step 1: open the What If tool
Navigate to Microsoft Entra admin center > Policies and click “What If” in the top menu.
Step 2: choose the User
In the “Identity” section, select the CoreView service or management account you need to test (e.g., coreview.reports<randomicnumber>@<onmicrosoft domain>).
Step 3: specify the Target Application
- Select the user actions or the Cloud apps your service account will access.
- For Cloud apps, click the “+ Select cloud app” button and choose the desired app from the list.
Step 4: choose the Platform and Client app
- Select the device platform and client app matching how your service account connects.
You can obtain information about the “Sign-in conditions” by navigating to the Sign-in events page in the Microsoft Entra admin center. Review the sign-in details for your management user to find the information needed for the required fields.
Step 5: Set IP Address and Location
- IP Address: enter the IP address associated with the CoreView data center being accessed (please refer to the list below).
- Location: choose the corresponding location.
| For the… | Choose… | IP addresses |
|---|---|---|
| Europe Data center | Ireland | Azure CCC (EU) |
| USA Data center | Virginia | Azure CCC (US East) |
| Canadian Data Center | Quebec City | Azure CCC (Canada East) |
| GOV Data center | Virginia | Azure CCC (US East) |
| Australian Data center | New South Wales | Azure AUS (Australia) |
List of IP addresses
Data centers and IPs
If you need the list of CoreView's data centers and related IPs, we can provide you with a detailed table.
You can request the table from your designated Technical Account Manager or by contacting support.
Step 6: Run the simulation
Click “What if” at the bottom to simulate a login attempt with your chosen options.
Understanding the Evaluation Results
The “What If” tool will display Conditional Access policies in two categories:
- Policies that will apply: these policies will be evaluated and enforced under your selected conditions.
- Policies that will not apply: these that will not affect the login scenario—commonly shown if the account is excluded, or if conditions (such as MFA requirements) do not match the simulation.
Key scenarios:
- Testing from IPs outside CoreView: expect relevant Conditional Access policies to apply, such as those blocking non-allowed network locations.
- Testing from CoreView data center IPs: CoreView’s own policies may not apply, or be shown as “will not apply.”
Best practice
Customer policies mandating MFA or requiring compliant device should not apply to CoreView service accounts—these accounts should always be excluded from such restrictions.
Account sign-in still failing: additional troubleshooting
If your CoreView service or management account is being blocked—even when the “What If” tool does not display any applicable Conditional Access policies—further investigation is needed. This can happen when a policy applies under actual sign-in conditions that are not fully replicated by the simulation. To identify which policy is responsible and resolve the issue, use the following steps:
Step 1: Find sign-ins error code
- Navigate to “Conditional Access > Sign-ins logs” in the Microsoft Entra admin center.
- Add the “Sign-in error code” column for additional visibility.
Step 2: Check sign-in details
- Find the first failed sign-in attempt for your CoreView account
- Click on row to open the “Activity details: Sign-ins" modal
- Navigate to the “Conditional Access” tab
Step 3: Find the Conditional Access policy name
- Under “Policy Name” you will see the name of the Conditional Access policy that blocked access.
- Click on it to review its details and configuration.
Step 4: Exclude CoreView from this Conditional Access Policy
- Navigate to “Policies” on the left-panel menu. Locate the Conditional Access policy you found in the Sign-in details report.
- Select it to open details and exclude your CoreView read-only/service accounts from this Conditional Access policy.
- Repeat this check for all relevant failed sign-ins to ensure that CoreView accounts are excluded from all policies that could block access.
Need further assistance?
Consult Microsoft documentation or contact your CoreView representative for additional support.