Share via

Conditional access triggered after unsuccessful password?

Justyna K 30 Reputation points
2025-01-21T14:45:41.48+00:00

Hello,

We had a situation that for all sign ins password was invalid while conditional access were triggered and eventually sign in was blocked with information that it was blocked by conditional access policies. Is it possible that unsuccessful first factor triggered conditional access policy? According to MS documentation it is not possible however maybe something has changed and Microsoft forces CA even in case of failed password just to avoid locking user account in case of malicious sign ins? Just guessing password.png ca.pngimage (1)

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,512 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,106 questions
0 comments
Accepted answer
  1. Raja Pothuraju 12,120 Reputation points Microsoft Vendor
    2025-01-30T05:21:21.6366667+00:00

    Hello @Justyna K,

    Thank you for taking the time to connect offline regarding this issue.

    As we discussed on our call, the sign-in attempt is being blocked by a Conditional Access (CA) policy. You were looking for confirmation on whether single-factor authentication was successful, as the Authentication Details section shows false.

    Based on our test results and observations, I can confirm that this is the expected behavior. The sign-in attempt was blocked because it did not meet the conditions of the CA policy. Since this is a block policy, access is denied immediately after the correct password is entered.

    As Vasil explained, Conditional Access policies are applied only after primary authentication is successfully completed.

    When access is blocked by a CA policy, the sign-in logs will show a failure. However, this does not necessarily indicate an incorrect password. The status reason field provides the actual cause of the failure, which, in this case, is CA policy enforcement.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 112.8K Reputation points MVP
    2025-01-22T07:06:11.5766667+00:00

    Judging by the Sign-in error code (ResultType on your screenshot), the first-factor auth was successful and the request was then blocked by Conditional access. I'm not aware of any changes in processing CA policies, and in this scenario I would advise you to consider the possibility that the user's credentials were compromised.

    1 person found this answer helpful.
    0 comments
  2. Shikha Ghildiyal 3,500 Reputation points Microsoft Employee
    2025-01-21T15:02:17.2866667+00:00

    Hi Justyna K

    Thanks for reaching out to Microsoft Q&A.

    There can be multiple scenarios on decisions for conditional access.

    Please check this document- https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview#common-decisions and see if it helps

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.