Forum Discussion
Conditional Access Policy will not save "Validating Policy"
I have a conditional access policy to enable MFA. It's all set and good. I have it shown here.
I later wanted to go into "Session" and enable "Sign-In Frequency" and set it to the recommended 90 days. After I hit save I get "Validating Session" at the bottom. But it never actually saves at all.
I tried re-creating the policy from scratch including this setting and it will not save. I don't know why.
Tomnibus_MedOne Yes, it started working for me as well yesterday, with no intervention required.
In fact, I haven't even heard back from Microsoft Support yet, despite opening the case 6 days ago and sending a chasing email a day or two ago.
- TeynCopper Contributor
Hi itomni, snout ChrisShawLHC and possibly Brownin88,
While this is broken on the Azure side of things, there is a workaround with Graph.
1) Create the policy in Azure AD without setting Sign-In Frequency.
2) Head over to Graph and sign in with your Global Administrator account https://developer.microsoft.com/en-us/graph/graph-explorer
3) Run the following query: GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
(you may need to Consent to a few things under Modify Permissions)
4) Find the Policy you just created in the Response Preview and copy the ID
5) Change the request to PATCH and add the ID to the end of the previous request:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id> and Edit your Request body to the following:
{ "sessionControls": { "signInFrequency": { "value": 90, "type": "days", "isEnabled": true } } }
6) Run the query (you may have to consent to a couple of things again)
7) Done! You will get a 204 No Content success message and the policy has now been updated
- Tomnibus_MedOneBrass ContributorThis looks great! For me, with my open ticket. I don't want to change anything lest they conclude the problem doesn't exist anymore. But I hope this helps someone else.
- ChrisShawLHCCopper ContributorThanks for this. It's faster than getting all the PowerShell modules installed and doing it that way.
- ChristianBergstromSilver ContributorHello, the Azure AD default configuration for user sign-in frequency is 90 days, which should explain what you're experiencing (can not save something that is already set).
- Tomnibus_MedOneBrass Contributor
So, when using MFA, how do I get it to add the prompt "Remember this device for X days" option? Because under "Remember multi-factor authentication on trusted device" setting it tells me to use Conditional Access:
NOTE: For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to ‘Remember MFA on a trusted device’ settings. If using 'Remember MFA on a trusted device,' be sure to extend the duration to 90 or more days. Learn more about reauthentication prompts.So, I should enable it in trusted device? Or require MFA with each login when outside my network?
- Tomnibus_MedOneBrass ContributorBTW, I just tried setting it to 45 days and it still won't save.
- ChristianBergstromSilver Contributor
Hi, well the 90 days was something that just popped to mind so had to put it out there. As why it is not saving your settings I think it's better if I just link this for guidance.
https://dirteam.com/sander/2020/06/17/todo-move-from-the-allow-users-to-remember-multi-factor-authentication-on-devices-they-trust-option-to-conditional-access/
And for reference
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettingsConfigure authentication session management - Azure Active Directory | Microsoft Docs
- Tomnibus_MedOneBrass ContributorWell, I don't know if Microsoft Fixed things on its own or not. The MS tech was having me try all these things and it kept failing. He then had me run IDFix to fix problems with amy local AD. "To make sure there are no duplicates preventing me from saving the CA policy." I wondered why that would be an issue.
I ran Idfix and didn't have any duplicates but I had a couple other issues that I fixed mostly display name problems. I did not run an AD Sync at all. I just went in and tried to edit and save and it did. So, I think MS fixed it on the back end without me doing anything.- snoutBrass Contributor
Tomnibus_MedOne Yes, it started working for me as well yesterday, with no intervention required.
In fact, I haven't even heard back from Microsoft Support yet, despite opening the case 6 days ago and sending a chasing email a day or two ago.
- Brownin88Copper Contributor
Tomnibus_MedOne
Microsoft support confirmed it was an issue their end, and in short they resolved it.
"Thank you for your response. I am happy to hear that the issue was resolved and everything is working as expected! For your reference we resolved this by resolving service degradation."
Come Tuesday morning I was able to proceed as normal.
Teyn The graph guide you have posted though, invaluable. Thanks ever so much. Tell me how do you learn graph? So far finding very little on it in terms of training materials- Dean_GrossSilver Contributor@bronwin88 you may find this helpful https://docs.microsoft.com/en-us/learn/paths/m365-msgraph-fundamentals/
- Jasper76Copper Contributor
Anyone facing this issue, in my case (I was creating a trusted network based conditional access policy) it was caused by not assigning users or groups to whom the policy should apply. You'd expect a warning/reminder of some kind here but instead it just doesn't save.