question

TheRusseller1-3951 avatar image
0 Votes"
TheRusseller1-3951 asked TeemuHietala-8001 commented

AAD Conditional Access Policy not applying to App Registration

I have recently registered an enterprise app in my tenant which is being used by users on MacOS and IOS devices to authenticate using their corporate identity. The conditions in the policy are below;

Specific users
MacOS and IOS platforms
Cloud app is specified
Grant access only when authenticated with MFA

Within the AAD sign in logs, i'm not seeing that the CAP is being applied - looks like the conditions are not matching with the Application name and therefore is not applying the conditional access policy.

However...

When selecting all cloud apps in the CAP MFA is being required at sign in and the policy shows it's been enforced as the CAP has matched with the application name - this is also the same results when I select the newly registered app and other built in apps such as O365 - the CAP is then being applied.

The resource ID listed in each of the sign ins are as shown below;

Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000

The resource id: 00000003-0000-0000-c000-000000000000 - is actually for the GraphAggregratorService - I have set specific application permissions along with delegated API permissions for the app registration but I'm still receiving the same results.

Without the ability to see any kind of advanced monitoring when the users attempts to sign in and not being able to see exactly what's happening at the backend i'm struggling to understand why the CAP policy to enforce MFA does not work when just assigned to this single cloud app but when combined with others it does work.

Any thoughts would be appreciated?

azure-ad-conditional-access
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you able to provide a screenshot of your Conditional Access policy configuration? Could you also provide the logs you are seeing and the correlation ID (+ timestamp)?

Did you make sure that this isn't conflicting with another Conditional Access policy and that "Cloud Apps or Actions:" is set to "All cloud apps"?

0 Votes 0 ·

@MarileeTurscak-MSFT thank you for your reply. I can confirm the below;

Date
9/3/2021, 5:46:52 PM
Correlation ID
c8b09853-77f5-471c-b75f-e3525f31f85a

As you can see the authentication was successful however did not apply to the conditional access policy as it did not match with the application nor did it match with the user.

The conditional access policy is not set to All Cloud Apps as I do not want this to apply to all cloud apps as well - I know from testing that that does work as expected however just this app registration standalone with either include or exclude from a CA does not work unfortunately.

Keen to hear your thoughts?

1 Vote 1 ·

I would love an answer to this as well, as we're having the exact same problem with Conditional Access.

The sign-in seems to go towards GraphAggregratorService, even though the sign-in shows the accessed app as the custom app we're using, so the CAP doesn't match. So far I haven't found any workaround to this.

0 Votes 0 ·

0 Answers