@Stuart McGuire
Thank you for your post!
I understand that one of your Conditional Access Policies requires users to read your terms of use when first signing in. After the initial sign-in, users who aren't signing in for the first time aren't redirected to your terms of use. However, because of this you're seeing multiple failures in the sign-in logs showing the "Grant Controls" as "Not Satisfied".
When it comes to your sign-in logs showing the "Grant Controls" as "Not Satisfied", I was able to reproduce your issue, and it looks like a potential cause is how Conditional Access Policies work - since all policies are enforced in two phases - more info.
**Phase 1: Collect session details: Occurs for enabled policies and policies in report-only mode. **
- Gather session details, like network location and device identity that will be necessary for policy evaluation.
**Phase 2: Enforcement: Occurs for all enabled policies. **
- Use the session details gathered in phase 1 to identify any requirements that haven't been met.
- If there's a policy that is configured to block access, with the block grant control, enforcement will stop here, and the user will be blocked.
- The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1
(i.e. MFA, Terms of use, etc.)
. - Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
Findings:
When testing this within my own tenant and viewing the Sign-in logs, you can see that I have Interrupted
and Failure
sign-ins but when viewing the sign-in details it mentions the below.
The user is required to satisfy additional requirements before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that this challenge was successfully passed or failed.
Phase 1: Gather session details:
This Interruption/CA failure occurs right after I inputted my login info, and should be part of the gathering session details phase.
Phase 2: Enforcement: Occurs for all enabled policies:
This second Interruption/CA failure occurs right after the redirect and should be part of the enforcement phase.
Note: Since I already accepted the tenant's terms of use my login was interrupted, and I was redirected. Otherwise, I would've had to read/accept the terms of use.
Once I successfully performed single-factor authentication, my session details were gathered, and enforcement verified (TOU acceptance), I was redirected to the Keep me Signed In(KMSI) page since I satisfied my CA Policy.
This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier.
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.