General

Attic creates rules with various fixes in Conditional Access in report-only mode. The intention is for you to evaluate them and then switch them to blocking mode.

Rationale

Conditional Access can interfere with legitimate use. That’s why we’ve made Attic cautious when setting new rules. By first enabling the rules in report-only mode, it becomes clear what legitimate use WOULD be blocked by the rule. This gives the opportunity to make specific exceptions in the rule so as not to interfere with that legitimate use, and then switch the rule to blocking mode to activate its preventive effect.

Manual instruction

Follow these steps to adjust the setting:

1. Open the Entra admin center via https://entra.microsoft.com 
2. Open Conditional Access Policies
3. Select the policy you want to evaluate and click the "view impact" button. This will show you which users are affected by the policy.
4. If you are satisfied with the impact, proceed to step 6 
5. If you see an impact you find unacceptable, create exceptions in the policy. For example, by excluding the user or device in question.
6. Activate the policy by clicking the "enable" button.

More information

1. https://learn.microsoft.com/en-us/entra/id-governance/conditional-access-exclusion