Share via

Newbie questino - What should happen with Azure Conditional Access when no policy matches?

SKT 146 Reputation points
2022-05-24T05:15:08.393+00:00

Hi all,

A newbie question about Azure MFA/conditional access.

We have a single policy in our conditional access that has the following settings:
All Users
Selected app - Office365
Condition - Exclude our office public IP address
Grant - require MFA

We now have a new cloud app that authenticates with Azure AD - this all works fine, but I see in the "Sign-in logs" in the "Conditional Access" colum "Not Applied"
This is as expected, because our single policy, only applies to Office365 and not the new app.

What happens though is that users are prompted for MFA everytime they log in.

What I woudl like to know is why do they get MFA prompts for an app that does not match any policy?
What happens to authentication when it doesn't match a policy?
Is there some sort of hidden rule that says if you don't match any policies you have to use MFA?

Thanks, Simon

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michel de Rooij 1,546 Reputation points MVP
    2022-05-24T06:29:08.83+00:00

    MFA can be enforced on multiple levels. If you inspect the Azure portal > Sign-in logs, it should provide clues on what possibly triggered the MFA challenge.

    0 comments
  2. AmanpreetSingh-MSFT 56,876 Reputation points Moderator
    2022-05-24T07:07:55.8+00:00

    Hi @SKT • Thank you for reaching out. Please find my response inline.

    What I would like to know is why do they get MFA prompts for an app that does not match any policy?

    Apart from the Conditional Access Policy, MFA prompt / MFA Registration prompt can be triggered via the below services/settings for the users accessing your cloud application:

    1. Azure AD Identity Protection (https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy) - Requires Azure AD Premium P2 license.
    2. Per-user MFA (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates) - To enable MFA on the individual user accounts.
    3. Security Defaults (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) - This option gets disabled when the Conditional Access policy is used. So this is unlikely to be triggering MFA in your case.

    What happens to authentication when it doesn't match a policy?

    When applied, a conditional access policy is used to add conditions that must be met to issue authentication tokens. If the conditional access policy is not applicable (users/apps don't fall into the policy scope), users will be authenticated without requiring to meet the conditions and a token will be issued to access the services/resources.

    Is there some sort of hidden rule that says if you don't match any policies you have to use MFA?

    There are no hidden rules but there may be scenarios where you apply a conditional access policy to app1 and any other application that calls/utilizes app1 to work, will also be affected by the CA policy.

    If the above-mentioned settings are not configured and you cannot identify the source of the MFA prompt, please perform the below steps:

    1. Access your new cloud app
    2. Do NOT perform MFA, and let it fail.
    3. From the error page, copy the correlation ID and timestamp and share that. I will try to track the activity to identify what is causing the MFA prompt.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.