When you delete the policy cache, Azure AD Conditional Access policies are re-evaluated, and if the certificate-based policy is not met (e.g., because the certificate-based policy might have conditions or requirements that are not met at that moment), Azure AD falls back to other available methods, such as username/password.
Ces cep kbr not working as expected
Have a ces/ cep server with two ces cep instances.
Username/password keybased renewal allowed
Certificatebased renewalonly
The gpo sets an order of certificate based as default and username password as second
The initial request happens via username password. When the certificate is issued and installed, i test the renewal winch happens perfectly via the certificate based policy.
When i delete the policycache, the renewal breaks ( acquired as silent error) and starts asking for credentials again. So it works as expected as long as the policycache is there which contains the cached password i guess. The cache is only valid for 8 h
Need a situation in which without cache the certificate is used for authentication. Anybody knows how to realize this?
Have already read most articles mentioning the same issue.