This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 80%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Hello,
I Am trying to get an conditional access policy to apply for logging on to an oauth enabled application. I Have created a very specific policy that should be applied when a specific user logs on to the specific cloud app. When testing the policy with the "What If", "what is" says the policy is to be applied but in real life it is not.
Any help would be much appreciated.
Regards
Peter
Hi,
Yes it is answered here https://www.reddit.com/r/AZURE/comments/s1wx6b/oauth2_w_registered_application_not_working/, and is seems to be some kind of issue with Oauth2.0 and conditional access policies.
Regards
Peter
@Peter Dufwa
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!
The user might have authenticated already using the browser and that is one of the reason why you see that MFA is not applying. In order to verify the MFA login events, you can go to the user blade as shown below and see, if any MFA events are being registered there.
Also, check if you are able to see the OATH verification code is logged as the authentication method in Authentication details tab as below:
----------
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hello,
Some updated info.
The logon is actually successful using single factor
and conditional MFA is not evaluated at all for the application
but in the browser we try to access the recourse from the following is displayed
Googling the 000000... code tells me that it has something to do with the ms graph, and indeed the application uses impersonation to gain access to user data in msgraph
My interpretation is for the application (for some reason) conditional mfa is not even evaluated so it proceeds and succeeds with single factor authentication but msgraph correctly applies the conditional policy and the logon fails.
Regards
Peter
Can you check if 'Security Defaults' are enabled for your tenant? The message you indicates can come in this condition. Disable it and check again
Azure Portal > Azure Active Directory > Properties > Manage Security Defaults > Enable Security Defaults button to NO
Hi,
It was and is set to NO.
Regards
Peter
As the security defaults are set as No, the MFA should work as expected. First make sure that the MFA is active for the user (Azure Active Directory>Users>Multi-Factor Authentication)
If that is fine, logout from all your open sessions like az cli PowerShell by az logout
Also, see, if you have any cloudshell sessions opened. Logout that too.
Logout from all your open azure accounts in browser also
Check it works after all these steps
If this is also not helps, create a new user and try if it helps !
Hi ManuPhilip
As the security defaults are set as No, the MFA should work as expected. First make sure that the MFA is active for the user (Azure Active Directory>Users>Multi-Factor Authentication) are you talking about Azure Active Directory>Users>Per-user MFA? Then it is turned off for all users.
Also found this which I think explain things https://www.reddit.com/r/AZURE/comments/s1wx6b/oauth2_w_registered_application_not_working/
Regards
Peter
I saw a method to activate conditional access for a user, if per-user mfa is not available for the user. Check it here: howto-mfa-userstates
@Peter Dufwa
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.