Conditional access issue
Conditional access issue
Hi @JustinMicheal-7973
Since your question is more related to Azure AD Conditional access , I have removed the unrelated tags and add the correct tag “azure-ad-conditional-access” to it.
Thanks for your understanding and hope you will get the answer soon.
Hi @JustinMicheal-7973 • Thank you for reaching out.
If I understood your requirement correctly, you want to allow a specific set of users to be able to access Azure Portal only from a particular IP Address. Correct me if I am wrong.
If my understanding is correct, you don't need to create 2 Policies for this purpose. You can configure the policy settings as mentioned below:
Create a Named Location under Azure Active Directory > Security > Conditional Access > Named locations, e.g. Location1. For specific IP Address (not a subnet) use /32 CIDR.
Create a conditional access policy with below conditions:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Add Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
d) Under Access Control section > Grant > Block Access
e) Enable Policy > On > Create.
This policy will restrict given set of users from accessing Azure Portal from anywhere except Location1 which represents the IP address to be allowed.
When you create 2 policies, where Policy1 allows access and Policy 2 blocks access, both policies will be evaluated and the most restrictive one takes precedence. Which means access will be blocked in that case.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@amanpreetsingh-msft We do require 2 policies as we only want these users to be able to only access the Azure portal (Microsoft Azure Management) and only from that specific location (named location).
With just 1 policy, AFAIK we wouldn’t be able to block these users from accessing other apps.
To my knowledge, there’s nothing wrong with the policies, need to know why after a period of time the policy suddenly gets applied at reauthentication and blocks (and is not applied at previous reauthentications).
Hi @JustinMicheal-7973 • I will test it out and will share my findings.
Hi @JustinMicheal-7973 • I did test the scenario in my lab. As you correctly mentioned, we do require 2 policies to block these users from accessing other apps. Could you please confirm if you have configured the 2 policies as mentioned below:
Policy1:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Add Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location and Exclude Location1 (created in step1)
d) Under Access Control section > Grant > Block Access
Policy2:
a) Under Users and Groups > Add required users/groups.
b) Under Cloud apps or actions > Include All Cloud Apps and Exclude Microsoft Azure Management
c) Under Conditions > Locations > Include Any Location or leave it as Not configured.
d) Under Access Control section > Grant > Block Access
If this is how you have configured the policies and still facing the issue, kindly share the correlation ID and timestamp (with time zone) from the sign-in activity when the policy with exception gets applied and users' access is blocked.
correlationid=a702e93b-53f9-4ab4-9d10-d0894132410-ca-3.txtec4f7ef
8 people are following this question.