Home » Blogs » Azure AD Conditional Access “NotApplied”

Azure AD Conditional Access “NotApplied”

After the implementation of Conditional Access policies, it’s important to monitor the coverage status to check if all sign-ins are covered by a conditional access rule. But it’s important to know that it is highly likely that the coverage in a normal environment will never be 100%. This blog is dedicated to explain why some of the sing-in entries can be ignored during the analysis.

Especially the insights and reporting provided within the Conditional Access section will lead many customer towards the journey to more deeply analyze the Not applied status.

Windows Sign In

Some Applications like the “Windows Sign In” do not support Conditional Access. This Application is used when a user is logging on to a Azure AD Joined device, which can be Online and Offline. As the default Windows logon screen is not based on a Web-UI it is not possible to do Conditional Access checks.

Windows Web Sign-In it is possible to use Windows Web Sign-In which is currently in Preview and would support additional checks, but it is clearly mentioned that it is currently unsupported: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin and at some points it's even marked as depreciated. So I don't recommend to use the feature.

B2B Sign In

When analyzing the Sign-In log and you detect “Microsoft Teams Web Client” or “Office 365 Sharepoint Online” in the list then it gets confusing. Why the hell is CA not applied. The answer is simple: It’s a B2B access.
Microsoft highlighted the access flows in docs well but has not explained when a Sign In entry is created.

Through the new Cross Tenant Access settings the information in the sign in logs was expanded, which helps us to analyze the NotApplied status.

With the above information and by checking the redirections when accessing such a resource, then we can elaborate the following behavior flow:

Summary

With all the learnings I did during the investigation of this issues I can now better check if environments are really protected by Conditional Access or not. I hope that with this post a lot of readers will save time analyzing them in their infrastructure. Keep in mind the Conditional Access “NotApplied” sign ins are not in all cases a Conditional Access Policy misconfiguration!

About
Latest Posts

Follow me

Thomas Kurth

Principal Security Consultant | MVP at baseVISION AG

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past ten years. I love to push and design the modern workplace based on Microsoft 365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Follow me

Azure AD Conditional Access “NotApplied”

Windows Sign In

B2B Sign In

Summary

0 Comments

Leave a Reply Cancel reply

Recent Posts

Hosting sponsored by:

Subscribe

Azure AD Conditional Access “NotApplied”

Windows Sign In

B2B Sign In

Summary

0 Comments

Leave a Reply Cancel reply

Recent Posts

Hosting sponsored by:

Subscribe

Tags