Summary
Administrators occasionally encounter a confusing scenario in Microsoft Entra: a Conditional Access policy that previously appeared in the portal suddenly vanishes from the v1.0 endpoint, Microsoft Graph PowerShell and any tooling that uses the v1.0 Graph endpoing. No deletion event. No error message. No audit entry. The policy still evaluates during sign ins, and is visible in the Entra Admin UI.
This behaviour is not a bug. It is a direct consequence of using BETA only Conditional Access functionality.
This article explains why these policies disappear, what triggers the behaviour, and how to detect it using Microsoft Graph.
Why Conditional Access policies disappear
The Entra admin portal displays Conditional Access policies using both the v1.0 and BETA Microsoft Graph schema. This schema includes production supported features as well as BETA functionality.
If a conditional access policy contains even a single BETA (preview) feature or setting it means it cannot be serialized using the production endpoint.
When a conditional access policy cannot be serialized the entire policy will be completely invisible to the tooling. There is no way to know from the production endpoint that a BETA setting has been enabled.
Some conditional access policy settings that are still in Preview may not present as being Preview within the Enta portal such as "Require risk remeditation".
Why this behaviour matters
Hidden policies introduce several operational risks:
- Governance Gaps
Auditors and administrators cannot see the full Conditional Access estate when relying on production tooling or scripts that use the v1.0 Graph endpoint.
- Troubleshooting Blind Spots
Sign-ins may be blocked or allowed by a policy tooling and scripts cannot see.
- False Sense of Compliance
Teams may assume a policy was deleted or disabled.
- Duplicate or Conflicting Policies
Administrators may recreate a policy they believe is missing.
- Increased Lockout Risk
Preview features often interact with authentication strengths and device filters in unpredictable ways.
For organisations with strict security or regulatory requirements, this behaviour must be understood and monitored.
Detect policies that use BETA functionality using Microsoft Graph
The most reliable way to detect Conditional Access policies that use BETA (preview) functionality is to:
- Enumerate all policies using the BETA endpoint, and
- Enumerate all policies using the v1.0 production endpoint, then
- Identify policies that appear in BETA but not in v1.0.
Please see the Detect Entra Conditional Access Policies That Use BETA (Preview) Features Using PowerShell article for more information and a sample PowerShell script to automate this process.