Azure AD Conditional Access “Not Applied”

Conditional access can be sometimes erratic. That does not mean that it’s designed incorrectly, but it means that our understanding about how it works is not clear.

Let me take up an example to explain.

Requirement: Customer wants to block Outlook Web Access from Browser and platforms other than Windows. So, I created the policy as shown (selected the user we wanted and Exchange Online Office 365 App):

Will this policy work?

I thought it will but it didn’t. Our user Allan who was supposed to be blocked, successfully logged in using the browser. Debugging via Sign-in logs shows the following:

If we drill down, we can see that our policy shows the result as “Not Applied”

Further drilling down shows that the device platform did not match. Hence, the policy didn’t block access.

To resolve the issue, I removed the Platform check from the policy. Included only Client Apps check.

Now the policy worked as required.

Sign-in log also confirms the same.

Our first requirement of blocking access through browser is satisfied. To block platforms other than Windows, I will create another policy which will check and block platforms only.

My Learnings:

We should not mix up two different requirements onto one conditional access policy. It is better to create new policy for each condition.

If you have any other thoughts, do let me know.