Azure AD Conditional Access What If tool says Not enough information, what does that mean?

Michiel van Heerde 21 Reputation points
2022-03-31T11:17:32.97+00:00

Hi,

I am configuring some new conditional access rules in Azure and am using the whatif tool to check their workings before putting them into production. With one rule the whatif tells me the reason for not being applied is: Not enough information

Besides not being able to see what is wrong with the rule I cannot find any information as to why there is not enough information, as far as I can see there is very little to no documentation on that specific reason. Funny thing is that when I test the rule on one account the logs tell me that the rule is being applied so that seems to contradict the whatif tool.

Has anybody seen this behavior or has anybody seen any documentation on this reason?

Kind regards,
Michiel

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,509 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,946 Reputation points Microsoft Employee
    2022-04-08T16:55:52.367+00:00

    Hi everyone,

    I got an update from the product team that a fix has been pushed, but it may take up to two weeks for the changes to be applied in production.

    This is an issue only when the What-If tool is run on a Conditional Access policy (CAP) where there is a group assigned. Therefore, the workaround for now in this limited testing capacity is to assign users directly to the CAP instead of specifying a group.

    A recommended approach to test Conditional Access Policies and understand how a policy acts is to use the Conditional Access Report-Only mode functionality. The results are logged to the Conditional Access and Report-only tabs in the Sign-in log details. The Conditional Access Insights workbook in Activity Monitor can be used to visualize queries and the impact of multiple report-only policies for a given time-range, set of apps and users. This is a good option if you are currently testing policy assignments.

    0 comments No comments

10 additional answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,946 Reputation points Microsoft Employee
    2022-03-31T22:33:07.67+00:00

    Hi @Michiel van Heerde ,

    I understand that you are seeing "Not enough information" in the What If tool when you are checking if your conditional access policies are being applied.

    I've seen some similar cases reported this week and the "Not Enough Information" message appears in two scenarios that I know of: 1) Groups are included in the Conditional Access policy , 2) The sign-in is not hitting AAD.

    Can you confirm whether it is a group that is the target of the conditional access policy?
    If not, are you able to capture a fiddler trace to see if the sign-in is hitting AAD?

    There is an open bug reported right now for the Groups issue, as well a separate bug reported for the issue of the WhatIf tool showing contradictory information. I will keep you posted on the status of this bug, as there have been ongoing conversations about it today.

    I have also reached out to see if we can get this error added to our documentation.

    Thanks,

    Marilee

    0 comments No comments

  2. Michiel van Heerde 21 Reputation points
    2022-04-01T08:49:33.17+00:00

    Hi @Marilee Turscak-MSFT ,

    Thanks for your reply.

    For this rule I have not used a security group, I did however use the predefined directory roles option to set the rule for Global Aministrators. I have just changed the rule from Global Administrators to a specific global administrator account and now I do see the rule in the whatif tool in the applied section so that indeed seems to be the issue.

    If you have more information on the bugs I would love to hear, or if you have a link to those issues so I can follow those that would be perfect.

    Kind regards,
    Michiel


  3. Marilee Turscak-MSFT 36,946 Reputation points Microsoft Employee
    2022-04-05T20:54:58.62+00:00

    Hi @Michiel van Heerde ,

    I just checked the bug and it looks like a push was fixed an hour ago.

    Would you be able to test again?

    Thanks for your patience.

    Marilee

    -

    If this answer helped resolve your question, please consider marking as answer so that others searching for the same issue can more easily find a solution.

    0 comments No comments

  4. Michiel van Heerde 21 Reputation points
    2022-04-07T09:20:54.92+00:00

    Hi @Marilee Turscak-MSFT ,

    I have just tested and got the same results, not enough information in the WhatIf tool

    Kind regards,
    Michiel

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.