Forum Discussion

Tomnibus_MedOne's avatar
Tomnibus_MedOne
Brass Contributor
Mar 17, 2021

Conditional Access Policy will not save "Validating Policy"

I have a conditional access policy to enable MFA. It's all set and good. I have it shown here.

 

I later wanted to go into "Session" and enable "Sign-In Frequency" and set it to the recommended 90 days. After I hit save I get "Validating Session" at the bottom. But it never actually saves at all.

I tried re-creating the policy from scratch including this setting and it will not save. I don't know why.

  • snout's avatar
    snout
    Mar 24, 2021

    Tomnibus_MedOne Yes, it started working for me as well yesterday, with no intervention required.

     

    In fact, I haven't even heard back from Microsoft Support yet, despite opening the case 6 days ago and sending a chasing email a day or two ago.

  • Teyn's avatar
    Teyn
    Copper Contributor

    Hi itomnisnout ChrisShawLHC and possibly Brownin88,

     

    While this is broken on the Azure side of things, there is a workaround with Graph.

     

    1) Create the policy in Azure AD without setting Sign-In Frequency.

    2) Head over to Graph and sign in with your Global Administrator account https://developer.microsoft.com/en-us/graph/graph-explorer

    3) Run the following query: GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

    (you may need to Consent to a few things under Modify Permissions)

    4) Find the Policy you just created in the Response Preview and copy the ID

    5) Change the request to PATCH and add the ID to the end of the previous request:

    PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id> and Edit your Request body to the following:

    {
        "sessionControls": {
            "signInFrequency": {
                "value": 90,
                "type": "days",
                "isEnabled": true
            }
        }
    }

     

    6) Run the query (you may have to consent to a couple of things again)

    7) Done! You will get a 204 No Content success message and the policy has now been updated

    • Tomnibus_MedOne's avatar
      Tomnibus_MedOne
      Brass Contributor
      This looks great! For me, with my open ticket. I don't want to change anything lest they conclude the problem doesn't exist anymore. But I hope this helps someone else.
    • ChrisShawLHC's avatar
      ChrisShawLHC
      Copper Contributor
      Thanks for this. It's faster than getting all the PowerShell modules installed and doing it that way.
  • Hello, the Azure AD default configuration for user sign-in frequency is 90 days, which should explain what you're experiencing (can not save something that is already set).
  • Well, I don't know if Microsoft Fixed things on its own or not. The MS tech was having me try all these things and it kept failing. He then had me run IDFix to fix problems with amy local AD. "To make sure there are no duplicates preventing me from saving the CA policy." I wondered why that would be an issue.

    I ran Idfix and didn't have any duplicates but I had a couple other issues that I fixed mostly display name problems. I did not run an AD Sync at all. I just went in and tried to edit and save and it did. So, I think MS fixed it on the back end without me doing anything.
    • snout's avatar
      snout
      Brass Contributor

      Tomnibus_MedOne Yes, it started working for me as well yesterday, with no intervention required.

       

      In fact, I haven't even heard back from Microsoft Support yet, despite opening the case 6 days ago and sending a chasing email a day or two ago.

    • Brownin88's avatar
      Brownin88
      Copper Contributor

      Tomnibus_MedOne

      Microsoft support confirmed it was an issue their end, and in short they resolved it. 


      "Thank you for your response. I am happy to hear that the issue was resolved and everything is working as expected! For your reference we resolved this by resolving service degradation."

      Come Tuesday morning I was able to proceed as normal.

      Teyn The graph guide you have posted though, invaluable. Thanks ever so much. Tell me how do you learn graph? So far finding very little on it in terms of training materials

  • Jasper76's avatar
    Jasper76
    Copper Contributor

    Anyone facing this issue, in my case (I was creating a trusted network based conditional access policy) it was caused by not assigning users or groups to whom the policy should apply. You'd expect a warning/reminder of some kind here but instead it just doesn't save.

Resources