Conditional Access Policy is not granting the access when the application is in Exclude list

Shanmugham, Sudha 21 Reputation points
2022-10-18T16:17:11.203+00:00

Hi,
In our Conditional Access Policy where action is to Block, we are trying to include "All Cloud Apps" in Include list and "Microsoft Azure Management" application in Exclude list. When a user tries to access "Microsoft Azure Management" and as per the logs, the Conditional Access Policy initially evaluates Exclude list and grants access with Success response. And then evaluates Include list and blocks the "Microsoft Azure Management" and this is not expected because this application specifically given in Exclude list.

Also when we tried to test using What If, it results as expected but when tested the actual scenario it is not giving expected result.

Could you please share any inputs ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,182 questions
0 comments No comments
{count} votes

Accepted answer
  1. Olga Os - MSFT 5,841 Reputation points Microsoft Employee
    2022-10-18T23:25:28.83+00:00

    Hello @Shanmugham, Sudha ,

    Welcome to the MS Q&A Forum.

    The Azure Active Directory (Azure AD) sign-ins log is a valuable source of information when troubleshooting why and how Conditional Access policy applied in your environment. The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using Azure AD sign-ins log.

    In some specific scenarios, users can be blocked because there are cloud apps with dependencies to other resources and these resources are being blocked by CA Policy. Example below shows user was trying to sign into Azure DevOps ("Application") and access was blocked by CA policy.

    251782-image.png

    This happened as an admin configured CA Policy that blocks access on all applications except for Azure DevOps app.

    Meanwhile, DevOps has dependencies with Windows Azure Service Management API ("Resource") and CA Policy was enforced while accessing it. An admin must also exclude dependencies app from the CA Policy to allow access to the Azure DevOps.

    The What If tool doesn't test for Conditional Access service dependencies. For example, if you're using What If to test a Conditional Access policy for Microsoft Teams, the result doesn't take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.

    Hope above answers your questions and concerns.

    --------------------------------------------------------

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    Sincerely,
    Olga Os

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Shanmugham, Sudha 21 Reputation points
    2022-10-25T07:55:38.233+00:00

    Thank you Olga Os. This information helps.

    Also found this info in Service Dependencies which can be referred.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access#conditional-access-error-codes

    Is it possible to give more insights about application, resource and dependencies and how they are related? It will help to debug issue faster.

    0 comments No comments

  2. Olga Os - MSFT 5,841 Reputation points Microsoft Employee
    2022-10-25T15:14:23.523+00:00

    Engineering Groups are continuously working to improve the Microsoft Azure Platform and troubleshooting processes to help ensure you have all required tools to resolve it. Your feedback is very important to us. We use it to continually improve our service.

    As example, "Troubleshoot event" feature may show related information on your side.

    253984-image.png

    Sincerely,
    Olga Os

    0 comments No comments