Dec 05 2021
- last edited on
Jan 14 2022
I’m trying to build CA policy with a block all, unless policy.
Therefore I have setup a block all rule, and with an exception of the ‘Microsoft Azure Management’ cloud application.
The second rule I created is another block rule, for all users, and the cloud application ‘Microsoft Azure Management’. In this rule I have configured the exception for a security group.
The third rule is the allow rule, and the requirements a user in the allowed security group must met, to access the azure portal.
Now the issue.
A user can access to the azure portal, but when the user tries to enter the AAD management portal, the user gets blocked by conditional access. I have attached the sign attempts. The first one is the signin to portal.azure.com, the second one, which fails, is the one trying to access AAD management portal.
any ideas how to fix this?
Dec 05 2021 05:46 AM
@Bernard_Semplicita it is not clear to me what your goal is?
And your first rule, what is the user/group scope?
Dec 05 2021 06:00 AM
Dec 05 2021 10:19 AM
Dec 05 2021 11:03 AM
If multiple policies apply, block will take precedence.
You can also check the details in the Conditional Access tab > Show details
Dec 05 2021 12:33 PM - edited Dec 05 2021 12:35 PM
hey guys, i know the basics.
But the main question is, why can i access the main azure portal itself, and CA is not blocking here, but, when i try to access the AAD management pane, CA is blocking.
I would like to know why, while both 'applications' are accessed/protected via the 'Microsoft Azure Management' cloud app, the result is not the same.
If you check the fail and succes log i attached, you can see the Application and Resource are the same.
Dec 05 2021 02:53 PM
Dec 05 2021 11:50 PM - edited Dec 05 2021 11:51 PM
Have you selected "All cloud apps" in the first block rule?
If so, what happens if you edit the rule to block only the cloud apps that are selectable in the list?
As is mentioned in the documents below, not all Azure services are onboarded for conditional access, so maybe there is some backend service that is required to access Azure AD, that is currently being blocked?
One would think that the service in question would show up in the sign in logs as being blocked though..
Dec 06 2021 12:35 AM
Dec 06 2021 12:43 AM - edited Dec 06 2021 12:50 AM
manually selecting all cloud apps, instead of the 'all cloud apps' does work. I also noticed, it is not just the AAD management portal being blocked, also the endpoint manager portal is blocked, when i use the default option 'All cloud apps'
When manual selecting the apps, this portal is also available again.
Dec 06 2021 12:54 AM