I'm digging the "What If" tool in Azure Conditional Access component. The idea is simple: as you're building policies, you can throw various scenarios at the policy engine to understand what the heck it'll do.

This gives admins the opportunity to observe effects and perhaps test variations of authentication use cases that would otherwise be complicated or difficult to test. Of course, this isn't a replacement for traditional (dare I say "sensible") steps like controlled introductions, minimizing the sheer number of conditional access policies, and proper auditing. Still though, it's nice to have something baked into the admin console itself. Nice!