Conditional access policy that blocks sign-ins from outside the USA

Question

We have a conditional access policy that blocks sign-ins from outside the USA. One of our users' accounts shows 32 log-in attempts last night, starting at 9:18pm. The majority of these were failures, blocked by the conditional access policy. Five show as successful, with conditional access policies not applied.

Additional details in the log:
first successful event:

• MFA Claim has expired due to the policies configured on tenant
• Authentication Requirement - single-factor authentication
• Conditional Access: not applicable
• Authentication details: Session Lifetime Policies Applied: Remember MFA

second successful event:

• MFA requirement satisfied by claim in token
• Authentication Requirement - single-factor authentication
• Conditional Access: not applicable
• Authentication details: Session Lifetime Policies Applied: Remember MFA

The other successful events had similar details as noted above. The user was using an Android mobile phone, accessing Outlook Mobile, SharePoint Android, and OneDrive.

We are concerned because clearly the policy should block any and all logins from outside the USA, yet this account was able to successfully connect from Germany. I'd appreciate any input or ideas on what's going on and how these logins were successful.

Thank you.

Answer 1

Hi @Christine Fecteau • Thank you for providing the required details to investigate the issue.

By tracking the correlation ID, I found that the conditional access evaluation was skipped because of the 'bootstrap' scenario. There are multiple scenarios that CA consider as 'bootstrap' and one of them is when the target audience is OCaaS Client Interaction Service, which is a Microsoft Service present by default in all Azure AD tenants. The "OCaaS Client Interaction Service" is usually accessed by the office client applications such as Outlook, Onedrive, etc. to complete the required flows uninterruptedly required by these clients to work properly.

In your case, the application 'OneDrive' redeemed a refresh token to access OCaaS Client Interaction Service and the conditional access evaluation was skipped. We consider such scenarios as expected behavior and can be safely ignored. Looking at the screenshot that you shared, I can see that all applications are within the scope of the CA policy. So, CA policy evaluation will only the bootstrap services and not other services.

Another example of the bootstrap scenario is Intune Management Setup, for which CA evaluation is skipped in favor of Intune to complete its flow uninterruptedly.

Hope this information help address your concerns.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Conditional Access policy needs to check conditions to validate the allow/deny action.
Please check the parameters of the allowed sessions and make sure to cover as much as conditions when you're denying the connections.

You can use platforms, device state and client files to filter the deny connections.

Answer 3

Hey there,
Is there a place where we can read more about this CA 'bootstrap' scenario?

I'd be very interested to understand what is considered bootstrap (the client application & target resource & endpoint call combination - a complete list).

Thanks!