15 votesstarted · 3 comments · Azure Active Directory » Conditional Access · Flag idea as inappropriate… · Admin →
An error occurred while saving the commentFelicia commented
The pre-authentication logging in general needs to be greatly improved. ActiveSync access for us broke 100% simply by clicking the Enforce MFA button on a per-user account basis. When we tried rolling that back by removing MFA, re-enabling, and then having the user re-enroll, ActiveSync was still broken. Even creating an EOL authentication policy that would allow basic authentication for a specific account where this was necessary, ActiveSync still broken.
All of this is happening because basic authentication is denied outright, and we don't even get to see the logs of this activity. Where and why is it being blocked? Is conditional access policy blocking it? Is it being blocked inside of EOL?
I've tried working with MS support on this topic only to find that there is some "by design" setting that we cannot override that blocks all basic authentication attempts. I find that to be completely bizarre considering that it is documented to be able to create an EOL authentication policy that specifically allows basic authentication.
Bottom line is that without access to the logs, we've no ability to troubleshoot where the problem is happening. And when the data is not exposed to use in Azure portal, that also means that MS support has no access to the data. So we just have a broken platform.