Conditional access not working for already configured outlook profile

James Nyunt 21 Reputation points
2022-03-08T06:51:54.227+00:00

Hi ,

I am testing Conditional access with trial P2 license. I configured the policy with block all access to Exchange online except trusted IP addresses. I then tested on non-trusted IP. Policy worked as expected, user can't login to OWA or create outlook profile. Then I disabled the policy and created the outlook profile on non-trusted IPs. After that I re-enabled the policy. I was expecting outlook to be not able to connect and get new email. But it wasn't the case. Outlook has no problem connecting and working as usual. Can someone explain why outlook (desktop client) still works?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,854 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 34,786 Reputation points Microsoft Employee
    2022-03-10T00:45:24.037+00:00

    Hi @James Nyunt ,

    I understand that you created a conditional access policy to block access to Exchange online except with trusted IPs, which you disabled and re-enabled. The policy was applied the first time, but after re-enabling the policy, the users were able to log in without being blocked.

    Is this a new session or the same session that was used for the initial login? Block access for devices is not applied until the session timeout expires. When a user signs in using their laptop and establishes a session, the user can continue to access everything until the session timeout expires. This is documented in the Block access by location with Azure AD Conditional Access guide.

    If this does not apply to your situation and your users are still able to access everything, there are some other reasons why this could be happening and several possible solutions.

    I would confirm that the policy is set to require "all of the selected accounts", confirm whether the login is showing up as success or failure, and whether the conditional access policy is getting applied.

    If you have not blocked legacy authentication protocols, this could also cause some issues as they do not support MFA and users can bypass Conditional Access this way. Exchange Online does a pre-auth step before sending the sign-in to Azure, so if you disable those methods in Exchange Online, it won't forward the request to Azure.

    You can use the "What If" tool to troubleshoot Conditional Access to troubleshoot which policies are being applied. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

    To apply more layers of protection one option would be to create a trusted region and then apply a policy which blocks access by default, but excludes your trusted region. You could also consider applying smart lockout to your accounts.

    If these suggestions do not apply to your scenario, please share a screenshot of your conditional access policy configuration and user sign-ins and I will be able to better assess the situation.

    Let me know if this helps and if you have further questions

    -

    If this answer was helpful to you, please consider marking as answer so that others in the community with similar questions can more easily find a solution.


0 additional answers

Sort by: Most helpful