Conditional access policy that blocks sign-ins from outside the USA

Question

question

ChristineFecteau-8184 asked Mar 30, '22 amanpreetsingh-msft edited Apr 19, '22

Conditional access policy that blocks sign-ins from outside the USA

We have a conditional access policy that blocks sign-ins from outside the USA. One of our users' accounts shows 32 log-in attempts last night, starting at 9:18pm. The majority of these were failures, blocked by the conditional access policy. Five show as successful, with conditional access policies not applied.

Additional details in the log:
first successful event:
- MFA Claim has expired due to the policies configured on tenant
- Authentication Requirement - single-factor authentication
- Conditional Access: not applicable
- Authentication details: Session Lifetime Policies Applied: Remember MFA

second successful event:
- MFA requirement satisfied by claim in token
- Authentication Requirement - single-factor authentication
- Conditional Access: not applicable
- Authentication details: Session Lifetime Policies Applied: Remember MFA

The other successful events had similar details as noted above. The user was using an Android mobile phone, accessing Outlook Mobile, SharePoint Android, and OneDrive.

We are concerned because clearly the policy should block any and all logins from outside the USA, yet this account was able to successfully connect from Germany. I'd appreciate any input or ideas on what's going on and how these logins were successful.

Thank you.

azure-ad-conditional-access mem-intune-conditional-access

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft · Apr 04 at 05:17 AM

Hi @ChristineFecteau-8184 • Thank you for reaching out.

The conditional access policy must be "not applied" due to some conditions not getting satisfied.

For example, if you configure conditional access to be applied to only the browser clients, the CA Policy will not be applied if the user is using native/desktop apps and will be applied to the users using web browser to access the protected resources.

If you can share the correlation ID and timestamp from a successful and a failure event from the Azure AD sign-in logs, I will try to track the differences in the auth requests.

0 ·

amanpreetsingh-msft amanpreetsingh-msft · Apr 05 at 06:36 AM

@ChristineFecteau-8184 • Have you had a chance to look into it?

0 ·

ChristineFecteau amanpreetsingh-msft · Apr 05 at 12:38 PM

Good morning, here's the requested information.

Failed event:
Date 3/29/2022, 8:18:57 PM
Request ID 1b141bdf-e60b-4ba8-b38a-fd4b446c0a00
Correlation ID c91037ca-8900-4295-9fb2-dadd3e821d65

Successful event:
Date 3/29/2022, 9:18:45 PM
Request ID 02d533ba-5c88-46dd-8b29-416e461a0d00
Correlation ID 7eb42061-7089-471d-84a5-d667a155b8f2

0 ·

image.png (42.6 KiB)

image.png (27.5 KiB)

Answer 1 · 2022-04-04T05:23:56.213Z

JasreetSingh answered Apr 4, '22 ChristineFecteau commented Apr 5, '22

Conditional Access policy needs to check conditions to validate the allow/deny action.
Please check the parameters of the allowed sessions and make sure to cover as much as conditions when you're denying the connections.

You can use platforms, device state and client files to filter the deny connections.

capture.jpg (59.1 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristineFecteau · Apr 05 at 12:41 PM

The policy is configured to block sign-ins from any location, except for three excluded locations.

0 ·

image.png (187.6 KiB)

Answer 2 · 2022-04-06T09:29:23.483Z

amanpreetsingh-msft answered Apr 6, '22 amanpreetsingh-msft edited Apr 19, '22

Hi @ChristineFecteau-8184 • Thank you for providing the required details to investigate the issue.

By tracking the correlation ID, I found that the conditional access evaluation was skipped because of the 'bootstrap' scenario. There are multiple scenarios that CA consider as 'bootstrap' and one of them is when the target audience is OCaaS Client Interaction Service, which is a Microsoft Service present by default in all Azure AD tenants. The "OCaaS Client Interaction Service" is usually accessed by the office client applications such as Outlook, Onedrive, etc. to complete the required flows uninterruptedly required by these clients to work properly.

In your case, the application 'OneDrive' redeemed a refresh token to access OCaaS Client Interaction Service and the conditional access evaluation was skipped. We consider such scenarios as expected behavior and can be safely ignored. Looking at the screenshot that you shared, I can see that all applications are within the scope of the CA policy. So, CA policy evaluation will only the bootstrap services and not other services.

Another example of the bootstrap scenario is Intune Management Setup, for which CA evaluation is skipped in favor of Intune to complete its flow uninterruptedly.

Hope this information help address your concerns.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft · Apr 11 at 03:46 AM

Hi @ChristineFecteau-8184 • Just checking if you have any further questions regarding this issue.

0 ·

ChristineFecteau amanpreetsingh-msft · Apr 11 at 12:59 PM

All set, thank you.

0 ·

amanpreetsingh-msft ChristineFecteau · Apr 11 at 02:14 PM

@ChristineFecteau • Thank you for the confirmation. Kindly "Accept the answer" with your @ChristineFecteau-8184 account, to help us and others in the community as well.

0 ·

question