Hey everyone, I'm getting pretty frustrated with Azure lately. I'm not a full-time admin, but I have to manage it anyway. I'm trying to figure out what best practices are—should I stick with security defaults or rely on Conditional Access Policies?
I've set up five Conditional Access Policies that I think are standard: blocking legacy sign-ins, requiring MFA and password changes for high-risk users, MFA for admins, and also for guests and risky sign-ins. So far, that part has been smooth.
Now, I'm attempting to set up an SMTP client in an application, using OAuth to authenticate a Global Admin against my tenant and assigning the necessary permissions. However, while testing the connection with my email client, it keeps failing, and I get an "incorrect login credentials" message. What's baffling is that I can't see any of these login attempts in Azure, although the previous OAuth connection is visible.
Once I did get my application and email client to work, the weird part is that now they work consistently no matter what I change in the Conditional Access policies. I even set up a second tenant, configured everything just like my first one, but that one won't connect at all. Again, no failed login attempts show up in the Azure logs. What could be blocking this connection on Microsoft's end? I haven't enabled or configured Global Secure Access, so I'm really at a loss here!
5 Answers
I've encountered similar issues with virtual machine access. Even after correctly setting up RBAC, I couldn’t log in with my main account unless I used a local account. Might be worth checking if any CA policies are interfering with logins from external sources.
Hey there! Have you looked through the non-interactive and other sign-in logs? Just a heads up, you're actually dealing with Entra ID, not just Azure. That could explain some discrepancies.
Not everything updates instantly in Azure. If you change a CA policy, it can take a while to take effect. Plus, an existing authenticated session might still be active even after changes.
Entra should have logs for sign-in events, including detailed logs related to your Conditional Access policies. Make sure you’re checking all relevant logs.
Sometimes, it just takes a bit for the logs to sync across all data sources. Don't be too quick to assume there's an issue if things aren’t appearing immediately.
Thanks for the tip! I’ll give it some time and see if the logs update.
Got it! Sounds like I need to be patient and observe those changes.