This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 11%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Hi,
We have created an Enterprise App for VPN SSO with a 3rd party platform which works properly. We have also created a Conditional Access Policy that restricts access from anywhere outside the US. When a person tries to log in outside the country, we receive the error "XXX needed Microsoft Graph resources for sign-in" I have excluded the SSO App from the CA policy as well as added Security Attributes to any apps that belong to Graph, i.e. Microsoft Graph, Azure Graph, graphstore, graphexplorer, etc. and excluded anything with those attributes from the policy. I am still receiving the graph is needed error though when someone tries to log in.
I performed a Conditional Access "What IF" test from Entra but when I select the SSO App, it shows the CA policy not applied.
I feel I am at a catch 22 as the CA bypasses the VPN IP but you can't connect to the VPN app to authenticate.
Any guidance would be great.
Can you post a picture of the error? Not really sure what you are seeing
Than you for the response.
When trying to sign into the custom Enterprise app from outside the US, they receive a failure and it logs this:
When I launch the sign-in diagnostics, it shows this:
The SSO app is excluded from the CA policy and for testing, I have excluded the following Apps from the policy:
However, the user still receives the error.
Thank you again.
The office 365 app actually has ties to Graph. What happens if you exclude that as well and test?