Conditional Access policy not triggering for 2 out of 3 selected Cloud Apps

N B 11 Reputation points
2021-02-25T09:52:35.747+00:00

Hi,

I'm attempting to apply a CA policy to a set of Cloud Apps to require MFA but the policy is failing to trigger for some of the apps.

I'm testing with 3 apps which are included in the Cloud Apps or Actions element of the policy, Microsoft Forms, SurveyMonkey and diagrams.net and I've the policy set to apply to one user owner. I've no exclusions set at either the user level or within the apps.

The trouble I'm seeing is that only Microsoft Forms is triggering the policy, if I try either of the other 2 apps the policy doesn't match according to the Sign In logs, despite the fact the listed Application and Application ID match the name and App ID specified in the CA policy. So I can login to Office.com and only when I go to Forms do I get prompted for MFA which is what I want. However, SurveyMonkey and diagrams.net just sign in without any MFA and looking at the Sign In logs it say Not Matched, even though the apps listed in the Sign In logs actually do match what i've included in the policy.

If I do a What If on the policy selecting my test user and targeting the apps it says it should apply.

I figure I'm doing something really stupid and would welcome advice/steps on troubleshooting.

Thanks,

Neil

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,189 questions
{count} votes

1 answer

Sort by: Most helpful
  1. The_Russeller_1 6 Reputation points
    2021-08-26T14:29:52.37+00:00

    Hi @N B Interesting you raise this as I have also been troubleshooting an issue would appear to be the same as what you describe above...

    Okay so I have a custom app for which MFA is enforced by conditional access policies which have the cloud apps selection set to "All Cloud Apps" - in the AAD Sign in logs when the user authenticates I do successfully see that the CAP matches with the registered app the user is signing into...
    What I would like to do is have a different CAP policy to enforce MFA which is just for this specific cloud app which i've registered however when the user goes to sign in the users AAD sign in logs do not show that the conditional access policy has matched with the client application and instead shows that it's trying to access the Microsoft Graph resource - this displays an ID of: 00000003-0000-0000-c000-000000000000 - upon investigating into this ID - this would appear to be related to the built in "Graph Aggregator Service" - if you search for this Enterprise App you can see all of the service principals which have been added to the app - from the information which i've been reading I believe adding your service principal into the "Graph Aggregator Service" app would then resolve the issue which we're facing.

    I'm yet to try this myself as would like to test in a test environment as the App I want to enforce the CAP policy on is currently already in production use. The reason this works with all cloud apps selected is because that includes the Graph Aggregator Service - it did take a while to conclude this but that's where i'm at.