question

JustinMicheal-7973 avatar image
0 Votes"
JustinMicheal-7973 asked amanpreetsingh-msft rolled back

permission issue

Conditional access issue

office-outlook-itprooffice-exchange-server-mailflowoffice-exchange-server-connectivity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JustinMicheal-7973
Since your question is more related to Azure AD Conditional access , I have removed the unrelated tags and add the correct tag “azure-ad-conditional-access” to it.
Thanks for your understanding and hope you will get the answer soon.

1 Vote 1 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @JustinMicheal-7973 • Thank you for reaching out.

If I understood your requirement correctly, you want to allow a specific set of users to be able to access Azure Portal only from a particular IP Address. Correct me if I am wrong.

If my understanding is correct, you don't need to create 2 Policies for this purpose. You can configure the policy settings as mentioned below:

  1. Create a Named Location under Azure Active Directory > Security > Conditional Access > Named locations, e.g. Location1. For specific IP Address (not a subnet) use /32 CIDR.

  2. Create a conditional access policy with below conditions:
    a) Under Users and Groups > Add required users/groups.
    b) Under Cloud apps or actions > Add Microsoft Azure Management
    c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
    d) Under Access Control section > Grant > Block Access
    e) Enable Policy > On > Create.

This policy will restrict given set of users from accessing Azure Portal from anywhere except Location1 which represents the IP address to be allowed.

When you create 2 policies, where Policy1 allows access and Policy 2 blocks access, both policies will be evaluated and the most restrictive one takes precedence. Which means access will be blocked in that case.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft We do require 2 policies as we only want these users to be able to only access the Azure portal (Microsoft Azure Management) and only from that specific location (named location).

With just 1 policy, AFAIK we wouldn’t be able to block these users from accessing other apps.

To my knowledge, there’s nothing wrong with the policies, need to know why after a period of time the policy suddenly gets applied at reauthentication and blocks (and is not applied at previous reauthentications).

0 Votes 0 ·

Hi @JustinMicheal-7973 • I will test it out and will share my findings.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft rolled back

Hi @JustinMicheal-7973 • I did test the scenario in my lab. As you correctly mentioned, we do require 2 policies to block these users from accessing other apps. Could you please confirm if you have configured the 2 policies as mentioned below:

Policy1:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Add Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
d) Under Access Control section > Grant > Block Access

Policy2:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Include All Cloud Apps and Exclude Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location or leave it as Not configured.
d) Under Access Control section > Grant > Block Access

If this is how you have configured the policies and still facing the issue, kindly share the correlation ID and timestamp (with time zone) from the sign-in activity when the policy with exception gets applied and users' access is blocked.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

correlationid=a702e93b-53f9-4ab4-9d10-d0894132410-ca-3.txtec4f7ef


0 Votes 0 ·
ca-3.txt (4.2 KiB)