Share via

Is Conditional Access Not Applied Unless a User Enters Correct Credentials?

JH 26 Reputation points
2021-07-15T20:52:11.987+00:00

I have applied a conditional access policy blocking login attempts using legacy clients. In the Microsoft Azure Sign-ins portal, is Conditional Access not applied unless a user correctly enters a password? Sign-ins are logged with "Conditional Access: Not Applied" if the sign-in fails, but is logged with "Failure" only if an entered password is correct. See images below.

I believe this is the correct behavior, but seeing "Conditional Access: Not Applied" for a user that has an applied policy is a bit misleading.

115181-accesspolicy1.png115182-accesspolicy2.png

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-07-15T22:03:19.837+00:00

    @JH
    Thank you for the detailed post!

    Yes, what you described is correct behavior. When it comes to Conditional Access policies, they're only enforced after first-factor authentication (i.e. password login) is completed. For more info.

    Additional Links:
    Conditional Access: Block legacy authentication

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.