Conditional Access gives you a lot of flexibility, but that flexibility can also create tenant-wide outages if policies are configured too broadly. Before enabling or enforcing a policy, review assignments carefully—especially when a policy targets All users, All groups, or All cloud apps. A single “too broad” policy can unintentionally block administrators and stop everyone from signing in.
The most dangerous Conditional Access mistakes usually involve combining wide assignments with blocking controls or requirements that most users/devices cannot satisfy. The following configurations are common lockout causes:
| Configuration | Why it’s risky | What happens in real life |
|---|---|---|
| All users + All cloud apps → Block access | There is no “safe path” left for authentication. | Everyone is blocked, including admins. This can cause a tenant-wide outage. |
| All users + All cloud apps → Require Hybrid Entra joined device | Many users/devices (BYOD, mobile, contractors, unmanaged endpoints) won’t meet this condition. | Users without hybrid-joined devices get blocked from all apps. |
| All users + All cloud apps → Require app protection policy | Requires Intune app protection policies and compatible client apps. | If Intune policies aren’t deployed (or admins aren’t using a protected app), admins can lock themselves out of portals like Intune and Azure. |
| All users + All cloud apps + All device platforms → Block access | Combines the broadest scope with the strictest control. | Full lockout across devices and platforms. |
A safe rollout approach is to start with a small pilot group, validate sign-in behavior, and keep emergency access (break-glass) accounts excluded from policies that could impact tenant-wide access.
When a user is interrupted or blocked by Conditional Access, troubleshoot in two stages: first, understand what the user saw at sign-in; then confirm exactly which policy applied by checking Microsoft Entra sign-in logs.
The error page shown during sign-in often includes a clear explanation of what requirement was not met (for example, “compliant device required” or “must use an approved client app”). For browser-based sign-ins, this page is frequently the fastest way to understand the immediate cause.
If the user selects More details, the page shows troubleshooting information that can help you locate the exact event in sign-in logs. This is especially useful when you need to match what the user saw to a specific log entry.
For deeper analysis, review sign-in logs to identify which Conditional Access policy (or policies) evaluated the sign-in and why the sign-in was blocked or interrupted.
Helpful filters to use:
Open the sign-in event and go to the Conditional Access tab. This view shows which policies were evaluated and which policy (or combination of policies) resulted in the interruption. If you need to confirm the exact policy configuration that caused the issue, select the Policy Name to jump directly into that policy for review.
The sign-in event also includes the user and device context used during evaluation. Tabs such as Basic Info, Location, Device Info, Authentication Details, and Additional Details can clarify which condition failed (for example, device compliance not met, wrong platform, unexpected location, or missing MFA claim).
Within the Conditional Access tab, selecting the ellipsis (…) next to a policy can open Policy details. This view typically presents:
A key point: Conditional Access policies apply only when conditions are satisfied (or not configured). If the data in the event still does not explain the outcome, you may need to review policy conditions carefully (users/groups, target apps, locations, device state, client apps, device platforms) and verify the user/device posture and enrollment state.
If sign-in logs do not provide enough clarity, open a support incident from the sign-in event’s Troubleshooting and support tab. Include the request ID and the time/date from the sign-in event in your submission. These details help Microsoft Support locate the exact sign-in record you are investigating.