'Azure Conditional Access can't Include or Exclude users

Basically my problem can be seen on this picture : azure conditional access error

When I go to Conditional Access > Assignments, I have red crosses both on Include and Exclude users or groups. My account has Global Administrator role assigned and the tenant has O365 E1 plus EMS E5 licenses. What must I do to enable the option to Include or Exclude users and groups in the Conditional Access policies?

azure-active-directorymulti-factor-authentication


Solution 1:[1]

Conditional Access is not supported with O365 E1 license, this feature requires Azure AD Premium P1 license.

  • Azure AD Premium P1 license is included as part of Enterprise Mobility and Security (EM+S) E3 and Microsoft 365 E3.
  • Azure AD Premium P2 license is included as part of Enterprise Mobility and Security (EM+S) E5 and Microsoft 365 E5. So, even if you have EMS E5 license you may face difficulty in creating conditional access policy.

Otherwise, you should have Microsoft 365 Business Premium license which includes a subset of Azure AD Premium P1 that supports Conditional Access.

I have Microsoft 365 Business Premium license and I tested in my environment where I am able to include or exclude users successfully.

enter image description here

So, for the workaround, make use of Microsoft 365 Business Premium license and try.

Note: While creating Conditional Access policies, Microsoft recommends to exclude the Global Administrator group from your Conditional Access policies to save yourself from losing access(lockout) to Azure.

Please find below links if they are helpful.

References:

What is Conditional Access in Azure Active Directory? | Microsoft Docs

Conditional Access for Office 365 (enowsoftware.com)

How to Set Up Conditional Access in Office 365? – TheITBros

Update:

As you mentioned in the comment, removing Conditional access permissions will take a while to reflect. Make sure you have Security Administrator role while doing all these. Good to know that it's working now. Thanks for the update.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA

Receive a request when Azure AD User receive a call

Can I use SVG within a customized the Azure AD B2C user interface?

Connecting to Dynamics 365 TDS-enabled database with OLEDB Linked Server

How do I define the SignedOut page in Microsoft.Identity.Web?

Azure AD API request 401 Unauthorized

Using multiple authentication providers in C# .net core

Active directory check if user belongs to a group

Web API with Microsoft Identity Platform Authentication

azure ad authentication issue with razor handlers

How to open the file on browser instead of downloading in local that is stored in Azure Data lake Gen 2

Error - Intent filter for: BrowserTabActivity is missing. While using AzureAD MSAL Lilbary

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

what is role of User did in Verifiable Credentials ? did:ion:username and when user did will generate?