# Conditional Access Conditional Access policies at their simplest are if-then statements; **if** a user wants to access a resource, **then** they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

## Findings flaws Conditional access management can be very hard. Now that Microsoft is enforcing MFA since 2025, a lot of exceptions are being made in conditional access. This allows attackers to match/bypass a policy and still get access. Also, some conditional access policies like OS or location can be matched by just modifying the user-agent header or changing to a "safe" country by VPN. {% hint style="warning" %} A big problem is that someone from the outside never knows **why** the authentication fails (which condition they don't meet). {% endhint %} ### Access tokens When you get an access token, you are not authenticating anymore. So this always bypasses conditional access. However, [CAE ](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation)could still be an problem. ### Device platforms

Check by modifying the `user-agent` header if you can login. ### Location Location can be GEO-based and IP-based. . A lot of times, the company WAN address(es) is included as a safe location. So if you manage to compromise a system within that internal network, or a application with for example a `managed identity`, try to authenticate through that system/application. ### Get conditional access policies ``` roadrecon plugin policies ``` This will write all conditional acccess information to a .html file