# Conditional Access Policies

The `Conditional Access Policies` page provides a list of enumerated conditional access policies in entire Azure. The list contains the `Display Name`, `State`, and `Created Date Time`.

<figure><img src="/files/KX0fc3gxJgN1JtDsvYVj" alt=""><figcaption><p>Conditional Access Policies</p></figcaption></figure>

## Conditional Access Policies Details

Details page contains the `Exposure Point` ,`Information`, `Includes`, and `Excludes` panes.

{% hint style="info" %}
You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side of the `Information Pane`.
{% endhint %}

<figure><img src="/files/W0s8E6kymFxpytkjWM0c" alt=""><figcaption><p>Conditional Access Policies Details</p></figcaption></figure>

## Details

Details tab contains attributes below about group managed service account object.

| Attribute                       | Description                                                                                                                                                                          |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Display Name**                | The name of the conditional access policy as shown in the Azure portal, typically describing the policy’s intent or function.                                                        |
| **State**                       | Indicates the current operational state of the policy. `Report-only` means the policy is being monitored but not enforced, allowing admins to evaluate its impact before activation. |
| **Policy Identifier**           | A unique identifier for the policy; this field is blank if not exposed or required for current configuration.                                                                        |
| **Object ID**                   | A globally unique identifier (GUID) assigned to the policy within Azure AD, used for managing the policy programmatically or via scripting.                                          |
| **Applies To All Users**        | Set to `True` when the policy targets all users in the tenant, with no specific inclusion filters.                                                                                   |
| **Is Organization Default**     | Indicates whether the policy is the default baseline for the organization. `False` means it's a custom policy.                                                                       |
| **Applies To All Applications** | When `True`, the policy applies to all cloud applications within the tenant.                                                                                                         |
| **Created Date**                | The date and time when the policy was originally created in the Azure AD tenant.                                                                                                     |
| **Exclude All Users**           | Set to `False` if no users are excluded from the policy scope.                                                                                                                       |
| **User Risk Levels**            | Defines which user risk levels (e.g., `Low`, `Medium`, `High`) trigger the policy. This is blank if not configured.                                                                  |
| **Exclude All Applications**    | Indicates whether all applications are excluded from the policy. `False` means the policy applies to at least some applications.                                                     |
| **Sign In Risk Levels**         | Specifies which sign-in risk levels, if any, activate the policy. This field is blank if risk-based conditions are not used.                                                         |
| **Built In Controls**           | The built-in enforcement control(s) that the policy applies. In this case, the control is `block`, which prevents access when the policy conditions are met.                         |
| **Device States**               | If configured, this specifies particular device compliance states (e.g., compliant or domain-joined) that are evaluated. This is blank if not set.                                   |
| **Client App Types**            | Lists the types of client applications the policy applies to. `All` means the policy covers all app types, including browser, mobile, and desktop apps.                              |

## Includes

Includes tab contains a list of objects that the conditional access policy include. This list also contains `Guid` and `Type` columns to identify these objects.

<figure><img src="/files/UesRRMArnXCnLRan2dP8" alt=""><figcaption><p>Includes</p></figcaption></figure>

## Excludes

Excludes tab contains a list of objects that the conditional access policy exclude. This list also contains `Guid` and `Type` columns to identify these objects.

<figure><img src="/files/BXprIca9mqxTXuHB2mgx" alt=""><figcaption><p>Excludes</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/azure-identities/conditional-access-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.