Azure AD B2C - Conditional Access not working

Gianfranco Coppola (MSC Sorrento) 45 Reputation points
2023-09-05T12:47:35.55+00:00

Hello,

We have two applications registered on Azure AD B2C, a web application and a mobile app. We want to set a conditional access policy to allow access to only one of the two applications based on user type.

We started by creating a first test policy trying to use it within an application registered on Azure by appropriately configuring the user flow that the application itself uses. The policy is very simple, all it has to do is block specific users from accessing the application registered on Azure, while allowing access to all others.

User's image

As reported in the official documentation, we have configured the user flow used in the application in such a way as to explicitly activate conditional access.

User's image

Anyway, by logging into the application for which access should be blocked, not only the user is able to log in normally, but from the logs reported by Azure AD B2C no conditional access policy is triggered

User's image

Is there something wrong or some other option that needs to be set?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,759 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,851 Reputation points Microsoft Employee
    2023-09-06T22:30:03.9833333+00:00

    Hi @Gianfranco Coppola (MSC Sorrento) ,

    Based on your description it sounds possible that the policy was created in the regular Azure AD tenant and not on the B2C directory itself. When you added the policy, did you make sure to select Azure AD B2C in the search bar, create the conditional access policy, and then select the users and application for which the policy is applied?

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-custom-policy

    Note also that Azure AD B2C is a Premium feature, so you need to make sure that the price tier of your Azure AD B2C tenant is set to Premium P1 or P2.

    User's image

    Change your Azure AD pricing tier
    Supported Azure Active Directory features

    Another thing to keep in mind is that the policy would only apply to successful sign-ins. If a sign-in is successful, then the policies are evaluated to determine if the user should be able to access those resources. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-access

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information. Otherwise let me know if you have further questions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.