Conditional Access policy not applying

Question

Conditional Access policy not applying

Thomas Barnish 0

We have provided access to specific external users for an application. We have a conditional access policy that applies to all users that requires multi-factor authorisation. From the sign in logs this policy is only being applied intermittently and when not applied the user access is denied. When the conditional access is not applied the authentication goes to single-factor. Can anyone provide a reason why the conditional access policy isn't being applied.

Andy David - MVP 153.5K Reputation points MVP

2024-02-23T18:07:01.34+00:00

Those sign in logs should show why looking at the properties for the logon under Conditional Access. Is there a trusted network or any other exemption allowed?
Dillon Silzer 57,681 Reputation points

2024-02-24T18:11:36.34+00:00

Can you give us an example log(s) (with PII removed)?
Marco Zemp 235 Reputation points

2024-02-24T20:25:29.5033333+00:00

Can you check whether you also include external users and guests for this conditional access policy?

For Assignments > Users and groups > Include, choose Select users and groups, and then select All guest and external users.
Thomas Barnish 0 Reputation points

2024-02-25T15:02:59.21+00:00

@Andy David - MVP @Dillon Silzer @Marco Zemp Thanks for your comments. The conditional access policy is applied to All Users so should be applied to external guests. There is one exclusion for Azure VM but that shouldn't apply for the external user. Image of log attached and the Conditional Access detail for a failed login

1 answer

Your answer

Andy David - MVP 153.5K Reputation points MVP

2024-02-23T18:07:01.34+00:00

Those sign in logs should show why looking at the properties for the logon under Conditional Access. Is there a trusted network or any other exemption allowed?
Dillon Silzer 57,681 Reputation points

2024-02-24T18:11:36.34+00:00

Can you give us an example log(s) (with PII removed)?
Marco Zemp 235 Reputation points

2024-02-24T20:25:29.5033333+00:00

Can you check whether you also include external users and guests for this conditional access policy?

For Assignments > Users and groups > Include, choose Select users and groups, and then select All guest and external users.
Thomas Barnish 0 Reputation points

2024-02-25T15:02:59.21+00:00

@Andy David - MVP @Dillon Silzer @Marco Zemp Thanks for your comments. The conditional access policy is applied to All Users so should be applied to external guests. There is one exclusion for Azure VM but that shouldn't apply for the external user. Image of log attached and the Conditional Access detail for a failed login

Answer 1

Marco Zemp 235

@Thomas Barnish it looks like the conditional access policy does not apply to this user. Can you check under Conditions whether there are any other exceptions?

To check whether all device platforms, locations and client apps used by the user also apply to this login attempt. You can also use "What If" (in the conditional access policy view) to change the conditions and check when the policy applies and when it does not.

Thomas Barnish 0 Reputation points

2024-02-26T09:56:38.33+00:00

@Marco Zemp The conditional access policy didn't apply for the failed log in but it did a few minutes later when the login was successful, see the attached image. I have now checked the "What if" in the conditional access view and the MFA policy should apply for this user for all conditions.
Marco Zemp 235 Reputation points

2024-02-27T06:24:46.1266667+00:00

@Thomas Barnish If this is the correct conditional access policy then it will be applied correctly. Could it be that due to the use of Windows Hello it appears that the user does not have MFA but Windows Hello serves as MFA? As a result, it seems to users more often that no obvious MFA login appears but is already fulfilled by Windows Hello MFA.

"The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources."
Source:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq

Share via

Conditional Access policy not applying

1 answer

Your answer