Conditional Access Policy applying to cloud app that is excluded in the policy

Question

Conditional Access Policy applying to cloud app that is excluded in the policy

Alex Rourke 21

We enforce MFA for users via a conditional access policy. We have an application that does not support MFA and, based on the nature of the application, we are OK not enforcing conditional access on this application. Accordingly, we've excluded the app in the conditional access policy's "Cloud apps or actions" section. Lets all this policy "Policy 1". This appeared to work when we set it up. However, looking through Azure AD sign in logs today, I can see that users are failing to log in to the application and, when I look at why, I can see they are failing on "Policy 1" because this policy is enforcing MFA. The sign in event is clearly associated with this app and I can verify that this app is excluded in "Policy 1", yet the policy is still firing. The app has been excluded now for over a month (this is not a recent change). Why is the conditional access policy still applying even though the app is excluded within the policy?

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-04-20T13:57:43.497+00:00

Hi @Alex Rourke • Please share the correlation ID and timestamp (in UTC or specify the timezone if not in UTC) from the sign-in activity where you see the policy getting applied to the excluded cloud app. I will try to track it down to identify the cause of the issue.
Alex Rourke 21 Reputation points

2022-04-20T14:17:17.89+00:00

@AmanpreetSingh-MSFT An example correlation ID is 9e6390df-663a-40f0-bf8e-dddaa390b3ff at 4/20/2022, 11:31:56 AM UTC. I've since added the IP addresses as exclusions to the policy. However, this event and all that preceded it occurred before this change was made. The policy in question is called "All User MFA" Thanks for your help.
Patrick Tippner 1 Reputation point

2023-01-11T21:02:38.2933333+00:00

@AmanpreetSingh-MSFT I suspect that we might have a similar issue with an application that we're trying to use in our environment, which was explicitly excluded but still seems to match through the "all cloud apps" setting. Would you be able to check if the same situation applies here?

Date

11.1.2023, 21:40:54 (UTC+1)

Correlation ID

4fb78fbf-07f3-4b51-9322-664a7d8a0098

Accepted answer

1 additional answer

Your answer

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-04-20T13:57:43.497+00:00

Hi @Alex Rourke • Please share the correlation ID and timestamp (in UTC or specify the timezone if not in UTC) from the sign-in activity where you see the policy getting applied to the excluded cloud app. I will try to track it down to identify the cause of the issue.
Alex Rourke 21 Reputation points

2022-04-20T14:17:17.89+00:00

@AmanpreetSingh-MSFT An example correlation ID is 9e6390df-663a-40f0-bf8e-dddaa390b3ff at 4/20/2022, 11:31:56 AM UTC. I've since added the IP addresses as exclusions to the policy. However, this event and all that preceded it occurred before this change was made. The policy in question is called "All User MFA" Thanks for your help.
Patrick Tippner 1 Reputation point

2023-01-11T21:02:38.2933333+00:00

@AmanpreetSingh-MSFT I suspect that we might have a similar issue with an application that we're trying to use in our environment, which was explicitly excluded but still seems to match through the "all cloud apps" setting. Would you be able to check if the same situation applies here?

Date

11.1.2023, 21:40:54 (UTC+1)

Correlation ID

4fb78fbf-07f3-4b51-9322-664a7d8a0098

Answer 1

Hi @Alex Rourke • Thank you for providing the required information.

Looking at the details at our backend, I found that your Ba*****a Ne****s app calls the Windows Azure Active Directory Graph resource (App ID 00000002-0000-0000-c000-000000000000), and a policy that requires MFA is getting applied to this resource.

As the "All User MFA" policy includes all applications, the app 00000002-0000-0000-c000-000000000000 is also getting protected by this policy and is requiring MFA when this app is called.

Now, the challenge is, that this app doesn't get listed in the conditional access policy. So there is no easy solution to this problem i.e., excluding this app from the "All User MFA" Policy. To get it working without changing any other conditions of your CA policy, you need to explicitly specify the applications that you want to include in the CA Policy rather than including all cloud apps.

Ref: Application IDs for commonly used Microsoft applications

Hope this helps.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-04-21T06:21:53.887+00:00

Hi @Alex Rourke • Just checking if you had a chance to look into it.
Alex Rourke 21 Reputation points

2022-04-21T15:30:41.617+00:00

@AmanpreetSingh-MSFT This makes sense given how the app authenticates with Azure. For security reasons we don't want to exclude applications from MFA by default. We were able to exclude the three IP addresses given to us by the vendor and this has resolved the issue for now. In the longer term, we'll pressure the vendor to switch to SAML. Thanks for your help!

Answer 2

Marc van Gorp 0

Excluding "Directory Synchronization Accounts" in the Conditional Access policies that enforce MFA did the trick for me.

The account used for synchronization itself was already excluded from MFA. However, this turned out to be insufficient.

I did not need to explicitly define which Entra ID apps should be subject to MFA.

Share via

Conditional Access Policy applying to cloud app that is excluded in the policy

1 additional answer

Your answer