Hello @Shanmugham, Sudha ,
Welcome to the MS Q&A Forum.
The Azure Active Directory (Azure AD) sign-ins log is a valuable source of information when troubleshooting why and how Conditional Access policy applied in your environment. The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using Azure AD sign-ins log.
In some specific scenarios, users can be blocked because there are cloud apps with dependencies to other resources and these resources are being blocked by CA Policy. Example below shows user was trying to sign into Azure DevOps ("Application") and access was blocked by CA policy.
This happened as an admin configured CA Policy that blocks access on all applications except for Azure DevOps app.
Meanwhile, DevOps has dependencies with Windows Azure Service Management API ("Resource") and CA Policy was enforced while accessing it. An admin must also exclude dependencies app from the CA Policy to allow access to the Azure DevOps.
The What If tool doesn't test for Conditional Access service dependencies. For example, if you're using What If to test a Conditional Access policy for Microsoft Teams, the result doesn't take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.
Hope above answers your questions and concerns.
--------------------------------------------------------
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.
Sincerely,
Olga Os