Sep 15 2021
- last edited on
Jan 14 2022
When looking at the Sign-in logs, I see entries with Status = success while the Conditional Access = failure.
Shouldn't the status say Failure as well when the conditional access is blocking the sign-in?
Sep 15 2021 07:03 AM
Sep 15 2021 07:13 AM
@Andres Gorzelany Thank you for your feedback. It is a bit ambiguous because the conditions do match in this case, but the result of the CP is to block access.
Sep 15 2021 09:29 AM
Jan 18 2022 01:36 AM
I encountered the same issue while setting up a CA to disable legacy auth for Exo.
After adding the user to the CA, login status was success but conditional access result was failure
(policy setting was to block access when using legacy auth protocols).
To countercheck the results I went to Exo PowerShell to check the status of the mobile device the user was using and generating this error:
Get-MobileDevice -Mailbox "<upn>" | fl deviceuseragent,deviceaccessstate,DeviceAccessStateReason,clienttype,whenchanged
DeviceUserAgent : Android-SAMSUNG-SM-N960F/101.10
DeviceAccessState : Quarantined
DeviceAccessStateReason : AadBlockDueToAccessPolicy
ClientType : EAS
WhenChanged : 2022. 01. 14. 10:02:18
As you can see in the results, the access was blocked due to the CA
Jan 18 2022 02:26 AM
@bart vermeersch I realize this is an old post but Conditional Access policies are enforced after first-factor authentication is completed, which might explain things :)
Jan 18 2022 12:20 PM
Mar 30 2022 04:47 AM