Conditional Access Realism: Testing Real Sign-Ins to Understand Policy Gaps

Your Conditional Access policy blocked risky logins last week. Working as designed. But can you answer these questions? Are your executives' travel logins being monitored? Can you detect 10 failed password attempts in 2 minutes? What happens when excluded users authenticate from unusual locations? Conditional Access makes point-in-time decisions: Allow or Block. Binary. Conditional Access policies themselves do not aggregate events over time or detect patterns. While Entra ID provides risk detections (e.g., via Identity Protection), these are separate systems and not configurable at the CA policy level. It can't tell you if a user failed authentication 10 times in 2 minutes. It can't flag unusual behavior from users excluded from your policies. We built a synthetic login-generator to simulate real-world authentication patterns. The generator intentionally models probabilistic attack behavior and temporal variance to mimic real-world authentication noise rather than uniform test traffic