question

FabianSchlegel-5983 avatar image
0 Votes"
FabianSchlegel-5983 asked ·

Azure AD Conditional Access policies are not applied

Hi there,

since disclosure of the on-prem Exchange Server vulnerabilities we are facing a huge wave of global sign-in attempts to 'Office 365 Exchange Online'. This put our user accounts at serious risk and causes permanent user lock-outs. We want to mitigate this thread by using Azure AD Conditional Access policies to protect our users and prevent sign-ins from specific countries, which we haven't used so far.

We have created the policies with the help of https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition but in any reason, they don't apply. The rules are pretty straightforward:

  • User and Groups: Selected users for which the policy must apply

  • Cloud apps or actions: All cloud apps

  • Conditions: Locations --> Include --> Selected locations: A set of countries, for which we want to block access

  • Grant: Block access

  • Session: -

The policy is 'report-only' for the moment. When I test the application/trigger of the policy using the What-If testing tool, the policy is supposed to apply. We are monitoring the sign-ins for the selected users since then, but the policy is not applied/triggered in the Conditional access column. As a sidenote, we also created a second policy to enforce multi-factor-authentication but it doesn't apply either.

To rule out that this is a licensing issue: We use an Azure AD Premium P1 license and an Office E1 + EMS E3 on the user site.

We would be glad if you can offer any support on this issue! If you need further information to investigate, please let me know.

Kind regards,
Fabian Schlegel

azure-active-directoryazure-ad-multi-factor-authenticationazure-ad-conditional-access
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey there Fabian,

Could you include a screenshot of your policy configuration?

0 Votes 0 ·

Hi James, of course.

User and Groups:

78130-microsoft-azure.png


Cloud Apps or Actions:

78271-microsoft-azure2.png


Conditions:

78177-microsoft-azure3.png


Grant:

78255-microsoft-azure4.png


Named Location (The countries list is a named location with all countries but a few selected, ie Germany):

78207-microsoft-azure5.png



If I use the What-If tool, the policy seems to apply as intended. But unfortunately not on live sign-ins. In my understanding, also a report-only policy indicates, that it would apply here:


78227-microsoft-azure6.png


0 Votes 0 ·
JamesWestalll avatar image JamesWestalll FabianSchlegel-5983 ·

Thanks for these @FabianSchlegel-5983


Looking at your policy, it looks mostly fine - The only thing I would change is to "require some" to "require all" under the settings.

From there, you should be able to check the Report-Only blade on the sign-in logs, rather than the conditional access blade.

78269-image.png




Another option you have, which I would consider easier; Is to define a "trusted region" and then apply a policy which blocks access by default, but excludes your trusted region.
Be wary with this, because if Microsoft mis-identifies or cannot pick the geo-location, you may prevent users from signing in.

Cheers,

JW

0 Votes 0 ·
image.png (53.8 KiB)

0 Answers