Unanswered

Problems with conditional access

(0) Share

Report

Posted on by Community Power Pla...

Hi all,

We have set up flows for a number of our customers for the automatic creation of teams and linking members to them. The flow retrieves the data from a SharePoint list and the team is created through Azure Automation. For linking the members to the team, we use the connector Office 365 Users.

One of our customers has activated a conditonal access policy, which means that the flows no longer work.
To solve this problem, we have added the IP addresses of AzureCloud in the excluded list (for Azure Automation) and the IP addresses for Power Platform (https://docs.microsoft.com/en-us/connectors/common/outbound-ip-addresses#power-platform).

However, the Office 365 Users connector still presents a problem. This error message is shown:

{
"status": 401,
"source": "https://power-te-northeurope.azurewebsites.net:443/tokens/europe-001/office365users/2daa9034ab6d435196c525aeaa67612a/exchange",
"message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and office365users is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: office365usercertificate. Correlation Id=fcdc9f20-992a-44f2-bbc5-38e8627de8fa, UTC TimeStamp=1/19/2022 7:49:18 AM, Error: Failed to acquire token from AAD: {\"error\":\"interaction_required\",\"error_description\":\"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.\\r\\nTrace ID: 75debc29-dfa6-4f49-bef7-b89f1dbc3600\\r\\nCorrelation ID: d09bb432-9842-417e-b1df-98ad011a724b\\r\\nTimestamp: 2022-01-19 07:49:18Z\",\"error_codes\":[53003],\"timestamp\":\"2022-01-19 07:49:18Z\",\"trace_id\":\"75debc29-dfa6-4f49-bef7-b89f1dbc3600\",\"correlation_id\":\"d09bb432-9842-417e-b1df-98ad011a724b\",\"error_uri\":\"https://login.windows.net/error?code=53003\",\"suberror\":\"message_only\",\"claims\":\"{\\\"access_token\\\":{\\\"capolids\\\":{\\\"essential\\\":true,\\\"values\\\":[\\\"80777881-a68e-4c0e-b52e-550917bf4a32\\\"]}}}\"}']"
}

How can we ensure that this connector also works and prevent other connectors from causing problems as well? Is there maybe another way to get Power Automate/Apps and Azure Automation working with conditional access policy?

Thanks in advance!

Categories:

Using flows

I have the same question (0)

All responses (4)

Answers (1)

Ellis Karim 11,681 Super User 2025 Season 2 on at

Like (0)

Report

I don't know much about Conditional access policies, but the following may be of help:

Conditional access policies define rules that determine when and how a user can access an application. Characteristics of the user’s session such as their IP address, location, device, and sign-in risk score are evaluated...These factors can also apply to certain activities such as whether a user is able to view documents in SharePoint Online, or view and download documents.

Numerous ways exist to restrict access to resources using conditional access policies. You can restrict who is allowed access to a resource, define which devices can be used to access resources, or control from what locations an app or service can be used. You can also add restrictions based on characteristics of the user logon; for example, if a user logs on from an unknown location, you can require them to authenticate with MFA even if the device itself would normally be trusted.
Office 365 for IT Pros 2022 Edition (January 2022), page 96.

Also:
As you begin building conditional access policies, you must be careful not to inadvertently impact end user access to workloads and other applications. To help with this, Azure AD allows you to enable conditional access policies in report-only mode. When a conditional access policy is enabled in report-only mode, you will be able to see the expected effect of the policy when you review the Azure AD sign-in logs. The end user will not be affected since the policy is not fully enabled.
Ibid, pg 99

You will need to work with their the MS 365 admin to find out which conditional access policy they have implemented that is stopping the flow from working, and which AAD account the flow connection is using for the Azure Automation. And ask if they can exclude your flow connection account(s) from the policy or enable the conditional access policies in report-only mode.

Ellis
____________________________________
If I have answered your question, please mark the post as Solved.
If you like my response, please give it a Thumbs Up.

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

Thank you for your reaction Ellis!

Our customers wants a conditional access policy on their AAD Account so that they can indicate from which location they can only log in.

Unfortunately, they don't want to exclude the account. We have added the IP addresses of Azure Cloud and Power Automate to the allowed locations. Most flows are working now, but only a few flows that use the Office 365 Users connector still give problems.

I don't know from which IP addresses this connector can connect, so I cant add them to the list. But if this connector causes problems, other connectors will probably also cause problems in the future.

Was this reply helpful? Yes No
Verified answer

Ellis Karim 11,681 Super User 2025 Season 2 on at

Like (1)

Report

See also: IP address configuration
The IP addresses from which Power Automate requests are sent depends on the region where the environment that contains the flow is located. We don't currently publish FQDNs available for flow scenarios.

Important
Some calls a cloud flow makes may come from IP addresses that are listed in the Logic apps documentation. Some examples of these calls include HTTP or HTTP + OpenAPI.
...
...
...
Required services
The following table lists the services to which Power Automate connects. Ensure none of these services are blocked on your network.
...
https://docs.microsoft.com/en-us/power-automate/ip-address-configuration

Ellis

Was this reply helpful? Yes No
Community Power Pla... on at

Like (0)

Report

I have added the IP addresses that are listed in the Logic apps documentation and everything seems to work. I will test a bit more, but I am positive for now.

Thank you very much Ellis!

Was this reply helpful? Yes No