Entra ID – Known issue (but undocumented) with conditional access

1 Comment / Azure Active Directory, Microsoft Entra / By / / AAD, AAD Conditional Access, Azure Active Directory, Azure Active Directory Conditional Access, Azure AD, Azure AD Conditional Access, Conditional Access, Entra, Entra ID, Entra ID Conditional Access

Now I got your attention, this sounds alarming but in fact it is not and you will see below.

As you know Entra ID Conditional Access policies allow you to protect access to your resources linked with Microsoft authentication platform (Entra ID).

Well, let dig into the issue. First a bit of context.

Requirements

  • Block access to all applications listed/registered in Entra ID for a group of user and /or from specific location (either country or IP based) except selected ones

Implementation

Well, there is an official Microsoft documentation for this to block all applications but allow specific applications (Conditional Access – Block access – Microsoft Entra ID | Microsoft Learn this example blocks all applications except Office 365).

In a nutshell, this requires 2 policies:

  • one to block all applications except specific ones
  • one to allow the defined applications above (usually requesting MFA at least)

image  image

The issue

Well, when you implement this (or already have it implemented), the result is unfortunately not the expectation.

All applications are being blocked, even the one(s) selected to be allowed.

This is why it is not as alarming as it sound but just cause a pain in troubleshooting and user experience.

The problem is linked with the use of “All resources” (aka all applications).

For some reason, the back-end of Entra is not taking into account the application(s) exceptions when you are blocking ‘all apps’ with exception.

image

Microsoft is aware of the issue and is working on a fix but there is not ETA. I got this from a Microsoft support request confirming my configuration was correct but the issue was on the back-end.

Unfortunately, there has been no official communication through Message Center/Dashboard Health in either Entra or M365 administration portals.

The workarounds, until the fix is deployed, are either:

  • Set the blocked location as allowed, which should not be too much a trouble as you should request MFA anyway or other requirements for accessing the applications
  • Don’t use the ‘all resources’ but ‘selected applications’ and select individually each applications; this can be a bit painful as there is no way to select all at once but these applications should be already protected by a global conditional access policy requesting MFA or being assigned instead of using ‘not assignment’ required and in addition many of Entra ID applications are also either back-end applications which can not interact with end users or requires administrative permissions

Related Posts

1 thought on “Entra ID – Known issue (but undocumented) with conditional access”

  1. Reto

    There are similar issues when implementing Passkeys in Authenticator App when using “all resources” (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-support-authenticator-passkey?source=recommendations).

    One of the workarounds mentioned by Microsoft is to use Custom Security Attributes with applications and filter CA policies based on these CSAs (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-support-authenticator-passkey?source=recommendations). It might be that in general companies move to filtered applications instead of using the “all resources” to support future authentication scenarios in a transparent way for all intended apps.

    Cheerz, Reto

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.