question

LavanyaRoy-0645 avatar image
0 Votes"
LavanyaRoy-0645 asked LavanyaRoy-0645 commented

Conditional Access What If Tool - Not Enough Information

I currently have two policies in place in conditional access:
- MFA required for all user regardless of location/no conditions/ all cloud apps
- Block user access if country is any other than US-Mexico-Canada

When I run the What If tool, for a user, for an IP address located in US, under the policies that will apply, it only shows the Block user policy
Under the policies that will not be applied, I can see the MFA requirement policy, saying not enough information.

By my understanding, both should be visible? Am I right? if so is there any reason why that is happening?

Thanks



azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered LavanyaRoy-0645 commented

Hi @LavanyaRoy-0645 • Thank you for reaching out.

When there are multiple CA policies in place with conflicting conditions, all the policies are evaluated but the most restrictive one gets applied. In your case, the first policy grants access to all users after they perform MFA, and the second policy blocks access for users from the specified countries. When users from the US try to sign in, they will be within the scope of both the policies, and after evaluating both the policies, the most restrictive one gets applied.

Ideally, the WhatIf tool should show both the policies but I've seen "not enough information" is returned when the tool is not able to map the conditions to the policies and requires you to relax the conditions. For the policies with "not enough information", try running the query without IP and country.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

Hi @LavanyaRoy-0645 • Just following up if you have any further questions.

0 Votes 0 ·
LavanyaRoy-0645 avatar image LavanyaRoy-0645 amanpreetsingh-msft ·

I don't mind relaxing the conditions and testing the policies, But I was just more concerned with it giving me the goal outcome of not allowing anyone beyond the US-Mexico-Canada to be allowed into my tenant.
The end use case I am looking for is making sure everyone from within those three countries only can log in and they need to use MFA to do so. Will my current configuration satisfy this use case?

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft LavanyaRoy-0645 ·

@LavanyaRoy-0645 • Assuming all the conditions are the same in both policies except the below 2 conditions:
1. Policy 1 allows access after MFA and Policy 2 blocks the access.
2. Policy 1 includes all Locations and Policy 2 excludes US-Mexico-Canada and includes all other locations.

Your current configuration will satisfy this use case for sure.

1 Vote 1 ·
Show more comments