Conditional Access Policy "Not Applied"

Question

Conditional Access Policy "Not Applied"

Felix 0

Hi!

We got a Custom Application, which is called Tresorit
We want to block all sign ins which come from Mobile Devices

I created 2 Policys (Block & Allow)

Block Policy:

Users: Just me

Target resources: Tresorit

Conditions, Device platforms: Include "Any", Exclude: "Windows, macOS, Linux"
Grant: Block Access

Enable policy: ON

Allow Policy:

Same User and target Ressource

Condition, Device platforms: Include: Windows, macOS, Linux

Grant Access (Authentication strength)
Enable policy: ON

--
When logging in on iPhone / Mobile APP - Access is granted, which shouldn´t

The Log shows:

Where the Application ID is right (same as included in Policy)
Device info is iOS:

Browser Mobile Safari 18.3

Operating System Ios 18.3.1

Assignment shows "not Matched"

When I log in from macOS, logs are basically the same - But OS = macOS and the Allow Policy notices "Success"

The "What if" tools shows:

when device Platform is "iOS":
Policies that will apply:
Block access

when device Platform is "macOS or Windows":
Authentication strength (which is part of the "Allow policy")

The Policys seem to be configured correct - I cant figure out why mobile APP issn´t blocked

Any ideas are highly appreciated

2 answers

Your answer

Answer 1

Marcin Policht 39,370 MVP

Your Conditional Access policies seem well-structured, but there are a few potential reasons why the block policy isn't applying as expected when logging in from an iOS mobile app.

Application might be using a different user-agent
- The mobile app might not be reporting itself as an iOS device in the way Conditional Access expects.
- Conditional Access policies primarily rely on user-agent strings to detect the device platform.
- Since the log shows "Browser: Mobile Safari," it suggests that the authentication request is browser-based rather than coming from the Tresorit mobile app directly.

To resolve it, instead of only filtering by device platform, try adding a condition based on the client app type.

Modify your block policy:
- Under Conditions → Client apps, select "Browser" and "Mobile apps and desktop clients."
- This ensures that both the browser and mobile app authentications are blocked.

Modern vs. legacy authentication
- If the mobile app is using legacy authentication (Basic Auth) instead of modern authentication, Conditional Access policies may not be able to evaluate it properly.
- Check Sign-in logs → Authentication details to confirm whether the authentication is done using legacy or modern authentication.

To resolve it, if legacy authentication is detected, enforce modern authentication and block legacy authentication protocols via Conditional Access.

Policy evaluation order / overlapping policies
- If there are other Conditional Access policies (besides the two you mentioned), they might be overriding or conflicting with your block policy.
- Check if any higher-priority policies allow sign-in under different conditions.

To resolve it, go to Entra Admin Center → Conditional Access and review all policies that might be affecting Tresorit.

iOS devices enrolled in Intune (compliance policy conflicts)
- If the mobile device is enrolled in Microsoft Intune, it could be marked as "Compliant" and be granted access due to another policy allowing compliant devices.

To resolve it, check whether the device compliance status is affecting the access decision. If so, modify your block policy to also exclude compliant devices from access if needed.

Session persistence / token caching
- If you've previously logged in successfully from the iOS device, an active session or a refresh token may still be valid.
- Sometimes, Conditional Access policies only apply to new authentication attempts, and existing sessions remain valid.

To resolve it, in Entra Admin Center → Sign-in logs, check if the sign-in is using a refresh token instead of a new authentication. If refresh tokens are an issue, revoke all active sessions for the user via:
- Entra ID → Users → Select user → Sign-in logs → Revoke sessions
- Ask the user to sign out and log in again to test.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Felix 0 Reputation points

2025-02-19T14:11:45.02+00:00

Thanks A LOT for the answer, sadly no success

I build a few more Policys which all should block :

Block Client APPs (NO Device platform) = Only Client APPs (all) selected as Condition

Block Mobile Devices (Any device and 3 excluded + Client apps) = any Device, excluded Windows, MacOS, Linux + Client APPs (all)

Block Mobile Devices (Any device and 3 excluded) = Original rule - Any Device, Excluding Windows, macos, Linux as only Condition

Block USER (RO) - ONLY User and Target Ressources defined, no further conditions, in report only mode

I revoked the sessions and tried to log in via Mobile APP again - ALL Policys are Not Applied, the (RO) rule is "Report-only: Not applied"

Application Tresorit

Application ID

<Correct one>

Resource: Microsoft Graph

Resource ID: 00000003-0000-0000-c000-000000000000

The device is not Intune enrolled
Client app in log: Mobile Apps and Desktop clients (no legacy mentioned)

no other Policys are conflicting
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-19T23:00:20.1533333+00:00

Hello Felix,

Despite being blocked by a CA policy, users are still able to access your custom application Tresorit from their mobile devices.

The sign-in logs indicate that MS Graph is being used as the target resource when accessing the custom application Tresorit.

Please consider the below scenario.

You have a CA policy to protect Exchange Online by requiring MFA

You Exclude Outlook Mobile from that CA policy

User opens Outlook Mobile and is still required to perform MFA to access Exchange Online

This is because the Resource Exchange Online is protected. It doesn't matter what Application is used to access Exchange Online. The policy will still trigger based on the Resource called

I suggest referring the below document to understand how CA policy will apply on service dependencies.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps

And as mentioned by Marcin Policht above, the log shows "Browser: Mobile Safari" it suggests that the authentication request is browser-based rather than coming from the Tresorit mobile app directly.

In sign-in logs are you able to see the iOS or android as operating system in device info blade?
Felix 0 Reputation points

2025-02-20T07:58:36.8833333+00:00

Thanks a lot!

I wondered about Graph in the first place, but checking a working Condition (on macos / Browser) shows me the same application and Ressource - so I assumed this is correct

Also Graph issn´t a selectable target ressource in CA

LOGS:

MacOS (from Browser) - (a Working BLOCK Condition):

Application Tresorit Application ID -0bc19235b956* Resource Microsoft Graph Resource ID 00000003-0000-0000-c000-000000000000

Device Info:

Device ID None Browser Edge 133.0.0 Operating System MacOs Compliant No Managed No Join Type none

From iOS APP (remember a BLOCK ALL Tresorit for this user, no further condition in this Policy is in place)

Application Tresorit Application ID -0bc19235b956* Resource Microsoft Graph Resource ID 00000003-0000-0000-c000-000000000000

Device ID none Browser Mobile Safari 18.3 Operating System Ios 18.3.1 Compliant No Managed No Join Type none

My confusion:
User is Matching
The correct application is matching (Works on macOS and iOS browser)
Application and Ressource IDs are the same in both cases (Browser & iOS APP)

Because the Application ID is the only condition, and matches in both cases - The behavior of the iOS app shouldn't matter at all - issn´t it?
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-21T02:11:16.71+00:00

Hello Felix,

The client application either browser or native client app has to provide device information. We suggest device platform should be used in concert with Microsoft Intune device compliance policies or as part of a block statement.

Please let us know if any further information needed.
Felix 0 Reputation points

2025-02-21T07:49:09.71+00:00
Thanks!

That doesn´t solve the issue.

The CA Policy doesn´t match Block - Even if only user and application is set as condition

The same Rule is applied when using browser, this looks suspicious to me because the device / OS is not a condition and APP / Ressource id are the same

Intune doesn´t solve the problem either - Users would still be able to install the app and authenticate on a Private phone, which is a nono
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-24T23:01:38.1333333+00:00

Hello Felix,

When we include an application and a write block policy, it will block only that particular application.

Other applications or resources will not get effected due to this.

Windows platform:

In this scenario windows is excluded and block. So, it will not block any application. (not only Tresorit)

Mobile platform :

In this scenario iOS is included and Tresorit application is added and blocked. Here user is able to access the resource of the application MS Graph as it was not added (can't) as target.

As mentioned earlier and you found that MS Graph is resource for Tresorit application, mobile users are able to access the resource of the application.

The only way to target Microsoft Graph with Conditional Access is to select 'All Cloud Apps' since it is a public/native application which calls a service.

The only way to target Microsoft Graph with Conditional Access is to select 'All Cloud Apps' since it is a public/native application which calls a service.

The below document shows how to identify the applications that use Graph API.

https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-faq#method-3-use-the-app-registrations-menu-of-the-microsoft-entra-admin-center
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-26T18:18:33.3+00:00

Hello Felix,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-27T16:27:00.35+00:00

Hello Felix,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 2

Felix 0

Thanks for the follow up.

I don´t understand the logic here.

In both cases (browser and mobile) the event is logged with same Application (Tresorit) and Ressource (Microsoft Graph) and User (Me)

So the Signals for the Conditional Access Policy are the same but the login for the mobile app is "Not Applied"

This behaviour looks odd to me - Because client app or any other signal issn´t part of the condition

Targeting "All Cloud Apps" - is not suitable because I want to allow some Mobile APPs

Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-02-27T22:14:41.9133333+00:00

Hello Felix,

Thank you for your response.

Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: djagadeep" and following details in the email body: Link to this thread/post.

We can connect offline and discuss further on this issue.
Venkata Jagadeep 565 Reputation points Microsoft External Staff

2025-03-03T16:49:51.31+00:00

Hello Felix,

Following up to see if you are able to send us email on 'azcommunity@microsoft.com' with Sub - "ATTN: djagadeep" and following details in the email body: Link to this thread/post.

Share via

Conditional Access Policy "Not Applied"

Assignment shows "not Matched"

2 answers

Your answer