Application Conditional Access just not working...

M Jones 26 Reputation points
2020-08-14T17:55:40.87+00:00

I cannot seem to get application based conditional access working at all. We have a third-party application provider that has Microsoft Authentication enabled and this appears in our Azure AD under Enterprise Applications.

I have setup a basic Conditional Access Policy with the following settings:

User/Groups: Single test user
Cloud Apps or Actions: This one app
Access Controls: Block Access

When I try and log in as this user access is granted. Things that make me think it is setup as it should be and is possibly a bug:

  • Under Azure AD logs the correct Application Name and ID is displayed
  • Under the Enterprise Application window I can see all the successful logins indicating the App is correctly linked
  • Running the 'What If' seems to suggest the conditions should be met
  • No other access policies are configured for this user to conflict with

When I look at the Conditional Access details under the log, however, it states Application: Not Satisfied. Any ideas where I could be going wrong or how I get in touch with MS to rectify.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jon Alfred Smith 541 Reputation points
    2020-08-15T13:41:08.11+00:00

    The error message states: "Application: Not Satisfied." So perhaps your app does not fulfill the requirements. Now, I have only worked with app protection policys on iOS. This can only be done with apps built with the Intune SDK. There's a wrapper tool as well.

    Here though is a very interesting link, that might bring you further (if I'm not completely wrong, which might be the case).

    Conditional access – third party apps by by Nick Hogarth (MVP)
    https://nhogarth.net/2019/02/13/conditional-access-third-party-apps/

    0 comments
  2. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2020-08-16T02:05:34.433+00:00

    @M Jones I can see you requested an access token for MS Graph but not for your own application. Conditional Access Policies applies to applications acting as resources or services (In this case it would be MS Graph) but not as clients. If you want to block access to the application as a client you need to restrict its users.

  3. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2020-08-16T19:16:41.26+00:00

    @M Jones Not trough conditional access unless you are requesting an access token for (not trough) your application:

    So instead of this:
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={your app id}&scope=https://graph.microsoft.com/.default

    You do something like this:
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={any app id}&scope={your app id uri}/.default

    Take a look to Configure an application to expose a web API for more information on how to make your application behave/act like a service or resource.

    ---

    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments
  4. James Hamil 24,311 Reputation points Microsoft Employee
    2020-08-31T18:29:06.343+00:00

    Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.