Forum Discussion

Robertls6's avatar
Robertls6
Copper Contributor
Jun 18, 2022

Access has been blocked by Conditional Access policies.

Hello,   I have added an new user outside our organisation.    When he tries to login he gets this screen:   If I look in the admin portal I see this:   Access has been blocked by Conditi...
SharePoint Online
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Could be. It’s blocked due to your conditional access policies. Go through them to sort it out.
Robertls6's avatar
Robertls6
Copper Contributor
Jun 20, 2022

ChristianJBergstrom 

 

So I tried to log in on another Macbook.  Worked fine.

 

I searched the Azure detals and found that this keeps happening:

The "control elements" keep getting blocked. 

 

Still not sure what this means

 

 

  • Dave_Webster's avatar
    Dave_Webster
    Copper Contributor
    Nov 23, 2022

    Robertls6 Did this every get resolved as I have the same scenario / issue with security defaults.

    • Robertls6's avatar
      Robertls6
      Copper Contributor
      Nov 23, 2022
      Yes I called the helpdesk of MS. Not sure what they did but eventually I turned of the two way authentication for that particulair personsaccount
      • Dave_Webster's avatar
        Dave_Webster
        Copper Contributor
        Nov 23, 2022

        Robertls6 Thanks for coming back to me.

        Yes this is my fall back.

        However just waiting on user feedback as I found the user on the risky users page as they have been making a mess of the 2FA sign up and I think security defaults now has some rule in there around that type of behaviour. 

    • ChristianJBergstrom's avatar
      ChristianJBergstrom
      MVP
      Nov 23, 2022

      This is what happens when security defaults are enabled.

      Requiring all users to register for Azure AD Multi-Factor Authentication.
      Requiring administrators to do multifactor authentication.
      Requiring users to do multifactor authentication when necessary.
      Blocking legacy authentication protocols.
      Protecting privileged activities like access to the Azure portal.

      My guess here is the legacy protocols.

      In general, when using conditional access policies, they should be analyzed before turning them on, such as "report-only" mode to see what will happen. Let's say you have apps that doesn't support modern authentication, or your environment is enabled for modern authentication, if you then disable all legacy protocols... another example could be trying to sign in from a location that isn't specified in the trusted locations in the CA policy and so on.

      To be able to configure CA policies though one cannot use Azure AD free (security defaults) as Azure AAD P1 is required.

      • Dave_Webster's avatar
        Dave_Webster
        Copper Contributor
        Nov 23, 2022
        "My guess here is the legacy protocols". Possibly, however they can sign-in to other accounts on the same tenant.
        see my previous reply I did ended up finding the user on the risky sign-in page though as they had been trying to avoid the auth app requirement. So this is my suspicion although you'd never know this from looking anywhere in the logs, I just went hunting and found the user listed.
        I've removed them and waited a short while before asking the user to try again.

        Oh yeah P1 / P2 the licence MS does not know what to do with.
        I currently have a small essay with my reseller asking them how the heck we are supposed to be licencing these as things keep disappearing behind the you need a P1 licence for that and the licence terms so so unclear as to who needs what.

Resources