You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/troubleshoot-conditional-access.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: troubleshooting
9
-
ms.date: 07/06/2022
9
+
ms.date: 08/16/2022
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -70,7 +70,7 @@ To find out which Conditional Access policy or policies applied and why do the f
70
70
1. To investigate further, drill down into the configuration of the policies by clicking on the **Policy Name**. Clicking the **Policy Name** will show the policy configuration user interface for the selected policy for review and editing.
71
71
1. The **client user** and **device details** that were used for the Conditional Access policy assessment are also available in the **Basic Info**, **Location**, **Device Info**, **Authentication Details**, and **Additional Details** tabs of the sign-in event.
72
72
73
-
### Policy details
73
+
### Policy not working as intended
74
74
75
75
Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. This option gives administrators additional information about why a policy was successfully applied or not.
76
76
@@ -80,11 +80,11 @@ Selecting the ellipsis on the right side of the policy in a sign-in event brings
80
80
81
81
The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured.
82
82
83
-
If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/overview-sign-in-diagnostics.md).
83
+
If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/overview-sign-in-diagnostics.md). You can also [use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md).
84
84
85
85
If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the specific event you're concerned about.
86
86
87
-
### Conditional Access error codes
87
+
### Common Conditional Access error codes
88
88
89
89
| Sign-in Error Code | Error String |
90
90
| --- | --- |
@@ -94,11 +94,13 @@ If you need to submit a support incident, provide the request ID and time and da
94
94
| 53003 | BlockedByConditionalAccess |
95
95
| 53004 | ProofUpBlockedDueToRisk |
96
96
97
+
More information about error codes can be found in the article [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md). Error codes in the list appear with a prefix of `AADSTS` followed by the code seen in the browser, for example `AADSTS53002`.
98
+
97
99
## Service dependencies
98
100
99
101
In some specific scenarios, users are blocked because there are cloud apps with dependencies on resources that are blocked by Conditional Access policy.
100
102
101
-
To determine the service dependency, check the sign-ins log for the Application and Resource called by the sign-in. In the following screenshot, the application called is **Azure Portal** but the resource called is **Windows Azure Service Management API**. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy.
103
+
To determine the service dependency, check the sign-ins log for the application and resource called by the sign-in. In the following screenshot, the application called is **Azure Portal** but the resource called is **Windows Azure Service Management API**. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy.
102
104
103
105
:::image type="content" source="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png" alt-text="Screenshot that shows an example sign-in log showing an Application calling a Resource. This scenario is also known as a service dependency." lightbox="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png":::
104
106
@@ -111,5 +113,6 @@ If you're locked out of the Azure portal due to an incorrect setting in a Condit
111
113
112
114
## Next steps
113
115
116
+
-[Use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md)
114
117
-[Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)
115
118
-[Troubleshooting Conditional Access using the What If tool](troubleshoot-conditional-access-what-if.md)
0 commit comments