Entra ID login not working, using SAML

Mareš Petr 20 Reputation points


Im working on migration for SAMMI Management UI (recipe management) from Siemens MyID to Azure AD (using SAML).

Azure AD: SAMMI Management UI (OEZ test instantion)

I did "Generate Azure AD app integration" in Siemens MyID and followed instructions in email.

I'm getting error:

You do not have access to this.

Your login was successful, but you do not have permission to access this resource.

In Sign-in logs I can see the information:

Acces has been blocked by Conditional Access policies.

The access policy does not allo token issuance.

User's image

Nahraný obrázek: Login error. image.png

Together with program author ,we checked setting on server and compared my Azure AD setup "SAMMI Management UI (OEZ test instantion)" with the working setup of the test version in Germany "SAMMI Management test system".

Unfortunately, we do not see the difference and have no idea where the error could be.

Is there anyone here, who could advise where the error is, what we are overlooking?

Thank you in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,605 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 29,856 Reputation points Microsoft Employee

    @Mareš Petr ,

    Here are some things I would recommend checking:

    • Prevent Cross-Site Tracking is disabled.
    • Block All Cookies is disabled.
    • Authenticator for iOS is installed (if using iOS)
    • Modern authentication is enabled on the tenant.
    • Confirm whether the same issue occurs on non-iOS devices

    The error itself means that the conditional Access Policy in your tenant is preventing access to the application to retrieve access tokens from Azure. If you check the sign-in events, look for an event with Status = Failure, select the event, and select the Conditional Access tab, you can investigate which policy caused the block. If your application is breaking a rule you can modify the application to make it compliant. Otherwise you can exclude the service principal from the conditional access policy.

    If the device information is not being passed, the CA will block the device as non-compliant.

    If you can check both the failed and successful sign-in logs you can confirm the more granular reasons for the failure (i.e. device platform not recognized by Azure and showing as Unknown, or the user condition not matching). You need to make sure that the useragent follows the correct format. User-Agent - HTTP | MDN (mozilla.org)

    If none of these steps help I would recommend sharing your sign-in log details and creating a support case to further investigate your issue.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.