Share via

Entra Conditional Access Issues

Aniket Kuiri 0 Reputation points
2026-02-12T13:02:39.23+00:00

Subject: Outlook Add-in authentication failure triggered by Entra CAE "LocationConditionEvaluationSatisfied" challenge.

We are seeking guidance on a recurring authentication issue within our Outlook Add-in. Several customers have reported login failures specifically when the Microsoft-standard Conditional Access policy "Multifactor authentication and reauthentication for risky sign-ins" is enabled.

Error Details: Users receive a 401 Unauthorized response with the following CAE challenge:{"code":"InvalidAuthenticationToken","message":"Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied"}

Key Observations:

Inconsistency: The error affects only a subset of users within an organization, rather than the entire tenant.

Policy Persistence: Customers report that adding affected users to the policy’s Exclusion Group does not resolve the error; the challenge continues to trigger even after exclusion.

Could you provide insight into why this specific location challenge is triggered for an Outlook Add-in and why policy exclusions are failing to mitigate the issue?

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator
    2026-02-12T13:49:51.0133333+00:00

    Welcome to Microsoft Q&A

    Hello Aniket Kuiri I hope you are doing well,

    This is a very specific issue related to Continuous Access Evaluation (CAE).

    Even though you excluded the user from the policy, their Outlook (and your Add-in) is likely holding onto an "old" access ticket.

    LocationConditionEvaluationSatisfied means Exchange Online thinks the user moved to a "bad" IP address or location that violates a strict security rule, and it is rejecting the token immediately.

    To prove this is a CAE caching issue vs. a policy misconfiguration:

    • Revoke the user's refresh tokens (via PowerShell: Revoke-MgUserSignInSession).
    • Clear the browser/Outlook cache completely.
    • Retest. If the exclusion works after a full revocation, the issue is your Add-in not handling the CAE challenge response to "upgrade" the token session dynamically.

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.