Azure AD Conditional Access policies are not getting applied

Ryan Ash 26 Reputation points
2021-04-21T13:34:32.317+00:00

I have an Azure Conditional Access policy that i am trying to use to block all access from any country outside of the US. I have included pictures of my policy. I currently have it setup in Report Only mode and have it set to block everything including the US just to see if it is working. I had one that was not working and just set up another to block all apps and only allow the US.

The end goal here is to have a policy that will block ANY user that tries to sign in to Office 365 from ANY country other then the US. I at least think i had it setup but the sign in reports on the conditional access and report-only blades do not show anything being applied.89962-policy-1-pic-3.png89963-policy-1-pic-1.png89964-policy-2-pic-1.png89926-sign-in-report-1.png89927-policy-1-pic-2.png89965-policy-1-pic-4.png89928-sign-in-report-2.png89972-policy-2-pic-3.png89973-4policy-2-pic-3.png

89940-sign-in-report-2.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,801 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,616 Reputation points
    2021-04-22T10:42:42.727+00:00

    Hi @Ryan Ash · Thank you for reaching out.

    Looking at the screenshots, you have configured 2 policies (mentioned below) to block all access from any country outside of the US.

    • Policy For US Employees
    • Policy to block other countries

    A better way of configuring Conditional Access for this purpose would be to:

    • First create a Named Location by navigating to Azure AD > Security > Named Locations > + Countries location > provide a name and select United States.
    • Create single CA policy, where you will include Any location, exclude Named location created for the country US, and Block access. Please refer to below screenshot, where I have configured bare minimum settings to achieve your requirement:

    90324-image.png

    Now, the policy will only apply when someone tries to access any Cloud App outside of the US and access will be blocked. As US is excluded from the Policy, it will not apply when cloud apps are accessed from within the US and access will be granted (provided no other policy is blocking the access).

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


2 additional answers

Sort by: Most helpful
  1. Ryan Ash 26 Reputation points
    2021-04-29T20:43:11.02+00:00

    Follow up question. I have the policy set as it is above. I have a Security group i created in Office 365 i use to add the users to and then added that group to the CA policy. I have a user that someone is clearly trying to log in as them and yet the policy is not being applied. They have a Azure AD P1 license. I see in the sign in logs that there are attempts from other countries and yet under CA and under Report Only it just says Not Applicable. When i run the what if tool with the IP and country it tells me it should be being blocked but clearly is not. Not sure why it is not applying as it says it should be.

    0 comments No comments

  2. Cheluvappa, Balaraju 61 Reputation points
    2022-10-25T15:39:30+00:00

    Conditional Access comes into effect after the first factor of authentication is completed successfully, so in this case the attackers are using a bad password and not getting to the policies you configured, in the event of a correct password attempt the policy would kick in and the user gets blocked

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.