Conditional Access troubleshooting flowchart

Assignments
Enable policy

Is the policy in
Is the policy
No
Report-only
Turned off
View possible applicability in Azure AD
enabled? mode or turned sign-in logs or Log Analytics Workbooks
off?
Start
This policy not applicable

Report-only

Yes

Rules:
All policies are enforced in two phases:
Users or workload identities

Policy applies
to?
In the first phase, all policies are evaluated and all access controls that
aren't satisfied are collected.
In the second phase, you are prompted to satisfy the requirements
Yes Yes

No
you haven't met.
If one of the policies blocks access, you are blocked and not
prompted to satisfy other policy controls. If none of the policies
Policy effectively Policy effectively blocks you, you are prompted to satisfy either one or all selected
assigned to assigned to No policy controls in the following order. (see picture on the right)
user? Service Pricipal?

This policy not applicable 1. Multi-factor authentication

Yes Yes
2. Approved client app/app protection policy
3. Managed device (compliant or hybrid Azure AD join)
4. Terms of use
5. Custom controls

Policy applies Cloud apps

Authentication context to?
Cloud apps or actions

User Actions

No
Are we
No
Is the registering
No
Authentication security Is the cloud app
Context information or targeted?
applicable? registering or This policy not applicable
joining device?
No

Workload identity
Assigned to user

Client apps Filter for Service Principal Locations

User risk No Sign-in risk No Device Platforms No Locations No No risk (Preview) (Preview)
specified and devices:
specified? specified? specified? specified? specified? specified?
applicable? specified?

Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Yes
Conditions

Risk applicable? Risk applicable?

External MFA providers and terms of use come next. All assignments
Filter applicable Yes
User risk Sign-in risk Device platform Location Client app
applicable? applicable? applicable? applicable? applicable? ?
Yes are logically ANDed. If you have more than one assignment
configured, all assignments must be satisfied to trigger a policy.
No No
Block access thrumps all other configuration settings
No No

This policy not applicable

This policy not applicable

Access Controls

Grant or Block? Block

Additional controls required? Access is blocked, no other policies

evaluated

Or
Multifactor Authentication
No authentication Strength No
required? required?

Yes Yes

No
Multifactor Authentication
authentication strength No
satisfied? satisfied?

Yes Yes

No
Other controls
needed?

Yes

And/Or

Approved client App Protection

No No
app required? policy required?

Yes Yes

No

Approved client App Protection

No
app satisfied? policy satisfied?

No
Other controls
needed?

Yes

Or

Compliant Hybrid AD joined

No No
device required? device required?

Yes Yes

No

Device Device Hybrid No

Grant

Compliant? AD Joined?

Other controls
No
needed?

Yes

Terms of use
acceptance No
required?

Yes

Terms of use
accepted? No

Yes

Other controls
No
needed?

Yes

Password
change No
required?

Yes

Password
No
changed?

Yes

No
Other controls
Access is granted, other needed?
policies will be evaluated
No Yes

Are session
controls Custom
specified? controls?

Yes

Yes
Custom controls No
satisfied?
Yes

App enforced Customize continuous

Conditional Access Sign-in frequency Persistent browser Disable resilience
restrictions No
App Control selected?
No
selected?
No
session selected?
No access evaluation No
defaults selected?
Session controls

selected? selected?

Yes Yes Yes Yes Yes Yes

App enforced restrictions Session routed to Microsoft Sign-in frequency specified Browser persistence
Continuous access Resilience defaults are
applied to session Defender for Cloud Apps settings is applied to
is applied to session evaluation is disabled disabled
session

Date: December 2022 | Version 1.4 | Author: Kenneth van Surksum | www.vansurksum.com