question

MichielvanHeerde-6630 avatar image
0 Votes"
MichielvanHeerde-6630 asked MichielvanHeerde-6630 answered

Azure AD Conditional Access What If tool says Not enough information, what does that mean?

Hi,

I am configuring some new conditional access rules in Azure and am using the whatif tool to check their workings before putting them into production. With one rule the whatif tells me the reason for not being applied is: Not enough information

Besides not being able to see what is wrong with the rule I cannot find any information as to why there is not enough information, as far as I can see there is very little to no documentation on that specific reason. Funny thing is that when I test the rule on one account the logs tell me that the rule is being applied so that seems to contradict the whatif tool.

Has anybody seen this behavior or has anybody seen any documentation on this reason?


Kind regards,
Michiel

azure-ad-conditional-access
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I logged a MS Support ticket on the issue. It is a confirmed bug, but no estimate when it would be resolved. They did point out to me the CA policy work. They did send me the link to this article for some reason .. :/

0 Votes 0 ·

Thanks for following up @WillemDegenaar-2174 . I just checked the bug and saw that this is still ongoing for many customers, but resolved for some customers. I have added your comments to the bug.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi everyone,

I got an update from the product team that a fix has been pushed, but it may take up to two weeks for the changes to be applied in production.

This is an issue only when the What-If tool is run on a Conditional Access policy (CAP) where there is a group assigned. Therefore, the workaround for now in this limited testing capacity is to assign users directly to the CAP instead of specifying a group.

A recommended approach to test Conditional Access Policies and understand how a policy acts is to use the Conditional Access Report-Only mode functionality. The results are logged to the Conditional Access and Report-only tabs in the Sign-in log details. The Conditional Access Insights workbook in Activity Monitor can be used to visualize queries and the impact of multiple report-only policies for a given time-range, set of apps and users. This is a good option if you are currently testing policy assignments.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

Hi @MichielvanHeerde-6630,

I understand that you are seeing "Not enough information" in the What If tool when you are checking if your conditional access policies are being applied.

I've seen some similar cases reported this week and the "Not Enough Information" message appears in two scenarios that I know of: 1) Groups are included in the Conditional Access policy , 2) The sign-in is not hitting AAD.

Can you confirm whether it is a group that is the target of the conditional access policy?
If not, are you able to capture a fiddler trace to see if the sign-in is hitting AAD?

There is an open bug reported right now for the Groups issue, as well a separate bug reported for the issue of the WhatIf tool showing contradictory information. I will keep you posted on the status of this bug, as there have been ongoing conversations about it today.

I have also reached out to see if we can get this error added to our documentation.

Thanks,

Marilee

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichielvanHeerde-6630 avatar image
0 Votes"
MichielvanHeerde-6630 answered MarileeTurscak-MSFT commented

Hi @MarileeTurscak-MSFT ,

Thanks for your reply.

For this rule I have not used a security group, I did however use the predefined directory roles option to set the rule for Global Aministrators. I have just changed the rule from Global Administrators to a specific global administrator account and now I do see the rule in the whatif tool in the applied section so that indeed seems to be the issue.

If you have more information on the bugs I would love to hear, or if you have a link to those issues so I can follow those that would be perfect.


Kind regards,
Michiel

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for confirming. It's an internal bug so I am unable to link it, but so far many customers are reporting the same issue with the groups. I've reached out to the owner of the bug to ask for an update and will keep you posted.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @MichielvanHeerde-6630,

I just checked the bug and it looks like a push was fixed an hour ago.

Would you be able to test again?

Thanks for your patience.

Marilee



If this answer helped resolve your question, please consider marking as answer so that others searching for the same issue can more easily find a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichielvanHeerde-6630 avatar image
0 Votes"
MichielvanHeerde-6630 answered

Hi @MarileeTurscak-MSFT ,

I have just tested and got the same results, not enough information in the WhatIf tool


Kind regards,
Michiel

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KenM-1800 avatar image
0 Votes"
KenM-1800 answered

Hi - having the same issue. Any update on further fixes?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IvanRizzuto-1323 avatar image
0 Votes"
IvanRizzuto-1323 answered

@MarileeTurscak-MSFT
Got the same issue in three of our tenants.... pretty annoying to be honest.. I mean already one week and not even an official statement somewhere from MS Side?
Please tell us how to go on.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkSleeper-6487 avatar image
0 Votes"
MarkSleeper-6487 answered

@MarileeTurscak-MSFT

Same problem here. Please let me know if there's an update?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TrevorHannah-7038 avatar image
0 Votes"
TrevorHannah-7038 answered

Got the same issue, been driving me nuts for days.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichielvanHeerde-6630 avatar image
0 Votes"
MichielvanHeerde-6630 answered MarileeTurscak-MSFT commented

Hi @MarileeTurscak-MSFT

I just tested and still the same result, any new info available yet?


Kind regards,
Michiel

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I just checked the bug and saw that this is still ongoing for many customers, but resolved for some customers. I have notified the team that this is still an ongoing issue.

1 Vote 1 ·
MarkSleeper-6487 avatar image MarkSleeper-6487 MarileeTurscak-MSFT ·

Thank you @MarileeTurscak-MSFT. Definitely still an issue.

0 Votes 0 ·

Response from the PG:

"Usually it can take up to 7 days to reach all tenants. I tested on several and it is fixed in those tenants."

So it does seem that the change was pushed but may not have reached everyone yet.

0 Votes 0 ·