Conditional Accesss is not working when I select SPA as web platform

TPlink 61 Reputation points

I did the below steps to test the conditional access, it is not working for my own public dns(like

here is the detail steps:
Step1: register a new app in app registration, named test003. select sigle tenant, in the Redirect URI part, select SPA and add the redirect url as my public domain(, you need to replace your own domain. make sure the appliction will deploy at the Server which your domain point to.

Step2: in the Authentication blade, select the ID tokens in the section of Implicit grant. and click Save button

Step3: download the MSAL demo(I downloaded before using the quickstart mode), I use the Node version. and open the authConfig.js file, replace the CliendId as the application ID, repalce authority as your tenant guid, replace the redirectUri as your domain which you added in the registration step.

Step4: Go to Azure portal “Enterprise Application", open the test003 application, and in the "users and groups", add one user you want to do the test.

Step5: then go to the "Conditional Access" part, click the "New policy" link to create a new policy, put the policy001 as the name, add the same user you add in the step4 to the assignments users and groups, the test003 app as the cloud apps or actions, for the conditions, I select the Location and allow anylocation. for the Grant, I selected the "Require multi-factor authentication", and set the Enbale policy to On, and click the Create button to create the new policy.

Step6: I can test the policy by using the ”What If", I selected the user I added in step4, and click the What If button, then the Ealuation result shows the policy001.

Step7:I run the Node demo code, and access my domain(e.g., click the Sign In button on the top-right. it will popup the signin windows,I use the user to login and input username/password, then login successfully. BUT this is not I expected, it should give me a new page after I input username/password to ask me do the MFA.

can someone have meet this issue before? I don't know how to resolve it. I tried if I select Web as the platform rather than SAP in the step1, it's working.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,444 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Dieter Koch 1 Reputation point

    Have a look in the Azure sign-in logs for either the user or the app.
    It shows some details like which policies have been evaluated/not evaluated.

    For testing, also try to do the login in a private browser session to make sure there are no cookies or open sessions.

    0 comments No comments