Troubleshooting sign-in problems with Conditional Access
The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Microsoft Entra sign-in logs.
Select "all" consequences
The Conditional Access framework provides you with a great configuration flexibility. However, great flexibility also means that you should carefully review each configuration policy before releasing it to avoid undesirable results. In this context, you should pay special attention to assignments affecting complete sets such as all users / groups / cloud apps.
Organizations should avoid the following configurations:
For all users, all cloud apps:
- Block access - This configuration blocks your entire organization.
- Require device to be marked as compliant - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back in to change the policy.
- Require Hybrid Microsoft Entra domain joined device - This policy block access has also the potential to block access for all users in your organization if they don't have a Microsoft Entra hybrid joined device.
- Require app protection policy - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you're an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.
For all users, all cloud apps, all device platforms:
- Block access - This configuration blocks your entire organization.
Conditional Access sign-in interrupt
The first way is to review the error message that appears. For problems signing in when using a web browser, the error page itself has detailed information. This information alone might describe what the problem is and can suggest a solution.
In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. In this case, the application and device don't meet that policy.
Microsoft Entra sign-in events
The second method to get detailed information about the sign-in interruption is to review the Microsoft Entra sign-in events to see which Conditional Access policy or policies were applied and why.
More information can be found about the problem by clicking More Details in the initial error page. Clicking More Details reveals troubleshooting information that is helpful when searching the Microsoft Entra sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
To find out which Conditional Access policy or policies applied and why do the following.
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Identity > Monitoring & health > Sign-in logs.
Find the event for the sign-in to review. Add or remove filters and columns to filter out unnecessary information.
- Narrow the scope by adding filters like:
- Correlation ID when you have a specific event to investigate.
- Conditional Access to see policy failure and success. Scope your filter to show only failures to limit results.
- Username to see information related to specific users.
- Date scoped to the time frame in question.
- Narrow the scope by adding filters like:
Once the sign-in event that corresponds to the user's sign-in failure is found select the Conditional Access tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption.
- Information in the Troubleshooting and support tab might provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements.
- To investigate further, drill down into the configuration of the policies by clicking on the Policy Name. Clicking the Policy Name shows the policy configuration user interface for the selected policy for review and editing.
- The client user and device details that were used for the Conditional Access policy assessment are also available in the Basic Info, Location, Device Info, Authentication Details, and Additional Details tabs of the sign-in event.
Policy not working as intended
Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. This option gives administrators additional information about why a policy was successfully applied or not.
The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured.
If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under Basic info > Troubleshoot Event. For more information about the sign-in diagnostic, see the article What is the sign-in diagnostic in Microsoft Entra ID.
If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information allows Microsoft support to find the specific event you're concerned about.
Common Conditional Access error codes
Sign-in Error Code | Error String |
---|---|
53000 | DeviceNotCompliant |
53001 | DeviceNotDomainJoined |
53002 | ApplicationUsedIsNotAnApprovedApp |
53003 | BlockedByConditionalAccess |
53004 | ProofUpBlockedDueToRisk |
More information about error codes can be found in the article Microsoft Entra authentication and authorization error codes. Error codes in the list appear with a prefix of AADSTS
followed by the code seen in the browser, for example AADSTS53002
.
Service dependencies
In some specific scenarios, users are blocked because there are cloud apps with dependencies on resources blocked by Conditional Access policy.
To determine the service dependency, check the sign-in log for the application and resource called by the sign-in. In the following screenshot, the application called is Azure Portal but the resource called is Azure Service Management API. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy.
What to do if you're locked out
If you're locked out of the due to an incorrect setting in a Conditional Access policy:
- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access can disable the policy that is impacting your sign-in.
- If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access.