Problem with disabling classic conditional access policies

Question

I need to enable the security defaults for our AAD, however when I flip the switch I get an error message about having enabled classic policies:

When I go to the conditional access blade, the classic policies option is disabled:

I seem to be stuck between a rock and a hard place here. Any ideas what might be going wrong? The AAD is created from a O365 subscription.

Best regards,
Eric Johansson

Answer 1

Okay guys here's the answer:

Found it in a post by Pete W (whoever he - is he is a star!)

Sorted it for me

https://github.com/MicrosoftDocs/azure-docs/issues/43961

I've just received a response from Microsoft on this issue.

The options were also greyed out for myself. This was due to Classic Policies now requiring an Azure AD Premium P1 licence (or higher). That said there is a direct URL available to access your classic policies. Microsoft advised me to delete, however simply disabling was enough to allow be to apply the security defaults.

Classic Policies Direct URL:

https://portal.azure.com/?microsoft_aad_iam_classicPolicyDontHide=true&microsoft_aad_iam_enableClassicPoliciesMenu=true#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/ClassicPolicies

Hopefully this will help get everyone to a quick resolution.

*** Quick Edit
The classic policies were created via intune which is why they existed in the first place. My users all still retain the intune licences, however, as it is now the AAD licence that is covering this that is why the issue has occurred, it may also explain why the issue doesn't appear to be that widespread

Answer 2

Dear Eric,

1. Confirm you have the proper access level with your account.
2. Try creating a custom policy and see if the information text change to this:

If it changes, delete the custom policy and try again.

If it doesn't work I would go for the Biju approach and create a ticket.

BR
Theodor

Answer 3

I just solved it now.

I went to Azure Active Directory Admin Center -> Security -> Conditional Access -> Classic Policies.

you may disable or delete the policy.

in my case, this policy created by ATP.

Answer 4

I'm working with Support on the same issue. Just to provide some background, context is:

1) Free/Basic AzureAD (whatever comes with O365). We are a indirect provider under the CSP program.

2) Conditional Access/Baseline Policies are enabled: [Baseline policy: Require MFA for admins (Preview)], [Baseline policy: End user protection (Preview)].
NOTE: Baseline policies where enabled per Microsoft's updated requirements from the CSP Partner program.

4) I've tried the following, receiving the same 'classic policies' blocking error at each step:

• Disabling the 2x Baseline policies
• Located a number of 'classic policies' in the conditional access node and DISABLED
• Deleted same classic policies when disabling them appeared to have no effect.

5) I've now just tried @theodorbrander 's suggestion to create a custom conditional policy. However, I do not get the demonstrated warning/error - just the same 'classic policy' error from the start of this thread.

I'll try to report back on what I find out with support.

Answer 5

How can a classic policy be re enabled once disabled