Skip to content

Control 2.3: Conditional Access Policies for Copilot Workloads — Verification & Testing

Test cases and evidence collection for validating Conditional Access policies for Copilot.

Test Cases

Test 1: App ID Accuracy Verification

  • Objective: Confirm all CA policies targeting Copilot reference the correct Enterprise Copilot Platform App ID
  • Steps:
  • Run Script 1 (Copilot App ID Audit) from the PowerShell playbook
  • Review output for any policy referencing an incorrect Copilot app ID
  • Confirm no policies use the wrong app ID segment (7ef4-4c2f is incorrect; 7ef8-4ec0 is correct)
  • Verify the correct ID fb8d773d-7ef8-4ec0-a117-179f88add510 appears in all Copilot-targeting policies
  • Expected Result: All Copilot CA policies reference only the correct app ID
  • Evidence: PowerShell output showing correct app ID across all policies

Test 2: March 2026 Enforcement Readiness Check

  • Objective: Verify CA policies are compliant with the March 27, 2026 enforcement change
  • Steps:
  • Run Script 1 to identify "All resources" policies with exclusions
  • For each identified policy, deploy in report-only mode to assess enforcement impact
  • Review the report-only results for unexpected user impact
  • Confirm remediation plan is documented
  • Expected Result: No active "All resources + Copilot exclusion" policies at enforcement date
  • Evidence: Report-only evaluation logs; remediation documentation with completion date

Test 3: Compliant Device Access Verification

  • Objective: Confirm Copilot is accessible from compliant managed devices
  • Steps:
  • Sign in from a compliant, Intune-managed device
  • Access a Copilot-enabled Office application
  • Verify Copilot is fully functional
  • Check the sign-in log confirms device compliance was evaluated
  • Expected Result: Full Copilot access from compliant device with compliance check logged
  • Evidence: Sign-in log showing compliant device access

Test 4: Non-Compliant Device Block Verification

  • Objective: Confirm Copilot access is blocked from non-compliant or unmanaged devices
  • Steps:
  • Attempt to access a Copilot-enabled application from an unmanaged device
  • Verify the Conditional Access policy blocks access or requires additional steps
  • Confirm the appropriate error message is displayed
  • Verify the blocked access attempt is logged
  • Expected Result: Access blocked with appropriate error message displayed
  • Evidence: Screenshot of access denial and sign-in log showing block reason

Test 5: MFA Enforcement

  • Objective: Verify MFA is required for all Copilot access
  • Steps:
  • Clear all MFA tokens for a test user
  • Attempt to access Copilot from a compliant device
  • Verify MFA prompt appears
  • Complete MFA and verify Copilot access is granted
  • Expected Result: MFA is required and enforced before Copilot access
  • Evidence: Sign-in log showing MFA requirement and satisfaction

Test 6: Session Control Enforcement

  • Objective: Verify session timeout and re-authentication requirements
  • Steps:
  • Sign in and access Copilot
  • Wait for the configured session timeout period (or simulate expiry)
  • Verify re-authentication is prompted
  • Confirm session controls are logged correctly
  • Expected Result: Session timeout enforces re-authentication as configured
  • Evidence: Sign-in logs showing session control enforcement

Test 7: Adaptive Protection Integration

  • Objective: Verify IRM Adaptive Protection triggers CA policy enforcement for at-risk users
  • Steps:
  • Confirm Adaptive Protection is enabled in Microsoft Purview IRM
  • Elevate a test user's IRM risk level (or observe a genuine risk event in test environment)
  • Attempt Copilot access as the test user
  • Verify the CA policy responds to the elevated IRM risk level (block or step-up MFA)
  • Lower the risk level and verify access is restored according to policy
  • Expected Result: CA policy dynamically adjusts based on IRM risk signals
  • Evidence: IRM risk level change log; CA sign-in log showing policy enforcement for at-risk user

Evidence Collection

Evidence Item Format Storage Location Retention
App ID audit output Text/CSV Compliance evidence repository 7 years
March 2026 remediation documentation PDF Compliance evidence repository 7 years
Conditional Access policy export CSV/JSON Compliance evidence repository 7 years
Sign-in log samples CSV Compliance evidence repository 7 years
Access denial test results PDF with screenshots Compliance evidence repository 7 years
MFA enforcement verification PDF Compliance evidence repository 7 years
Adaptive Protection integration test PDF with screenshots Compliance evidence repository 7 years

Compliance Mapping

Regulation Requirement How This Control Supports It
NYDFS Part 500 §500.12 MFA for external network access MFA requirement ensures Copilot access from outside corporate network requires MFA; March 2026 enforcement closes the "All resources + exclusion" bypass path
FFIEC Authentication Guidance Strong authentication MFA requirement supports compliance with authentication guidance
NIST SP 800-63 Authentication assurance levels Conditional Access helps meet assurance level requirements
SEC Regulation S-P Access controls Device and authentication controls support compliance with access control obligations
PCI DSS Req 8 Identify and authenticate access MFA and device compliance help meet authentication requirements