Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Hello, is anyone able to help me make some progress on this?
Entra Conditional Access Policy not applied to admin.cloud.microsoft
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 63%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
John Percival
0
Reputation points
You can use https://admin.cloud.microsoft/ or https://admin.microsoft.com/ to access the Microsoft 365 Admin Portal.
I have a conditional access policy applied to Microsoft Admin Portals (and also Microsoft 365 Admin portal)
This policy specifies a sign-in frequency of ever 6 hours.
All users are included.
It is applied successfully on https://admin.microsoft.com/
It is not applied on https://admin.cloud.microsoft/
I don't think I have misconfigured anything, so I am beginning to wonder if this is a (fairly serious) problem with MS CA policy coverage.
Edit 20 Aug 2025: here are the sign in logs:
When I access via admin.cloud.microsoft, the sign-in log shows success, CA not applied, and:
- Application: Office365 Shell WCSS-Client
- Application ID: 89bee1f7-5e6e-4d8a-9f3d-ecd601259da7
- Resource: Microsoft Graph
- Resource ID: 00000003-0000-0000-c000-000000000000
When I access via admin.microsoft.com, the sign-in log shows failure, CA applied successfully, and:
- Application: Microsoft Office 365 Portal
- Application ID: 00000006-0000-0ff1-ce00-000000000000
- Resource: Windows Azure Active Directory
- Resource ID: 00000002-0000-0000-c000-000000000000
- Sign-in error code: 70044
- Failure reason: The session has expired or is invalid due to sign-in frequency checks by conditional access.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator2025-08-19T16:58:44.8+00:00 The issue is the target resource which is graph and not the portal itself. CA Policies target the service, not the ap requesting it, the way to ensure its requiring MFA is to require MFA for all resources:
Note that Microsoft is also enforcing MFA on portals as well:
-
John Percival 0 Reputation points
2025-08-20T06:16:19.4533333+00:00 Thanks Andy for offering a response.
The CA policy that is causing problems is a session-length policy, which we want to apply to all the admin portals, so we have selected "Microsoft Admin Portals".
The issue is that admin.cloud.microsoft is displaying different behaviour to admin.microsoft.com despite both displaying the same page, allowing the same actions (such as giving someone a new admin role) and both being "Microsoft Admin Portals".
I am becoming increasingly concerned that admin.cloud.microsoft is not being included as one of the URLs for "Microsoft Admin Portals" for whatever reason, and so is not covered by the CA policy.
I just can't seem to get through to the right department in Microsoft to raise what looks increasingly to me to be a serious security issue.
Are you able to replicate this issue? Would you like me to do a video call to show you? Can you help me connect to someone in Microsoft who can address this? Thanks so much
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 35%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
vallepu aravind 75 Reputation points2025-08-19T15:39:45.39+00:00 I hope you have checked the audit logs for that account, please check your can get better idea,is it bypass the conditional access or not ,if your configuration correct and both url navigate to admin center only , please check in different browser.thanks
-
John Percival 0 Reputation points
2025-08-19T15:55:02.0166667+00:00 Thanks, I have tried on Windows PC and Android device. Same behaviour in both, as described above.
I have added the sign-in logs to the OP.
Any suggestions as to why it is not being applied to admin.cloud.microsoft?
Sign in to comment -