The Problem:
An error occurred while trying to trigger a Logic App workflow from an Azure Data Factory pipeline using a web activity. The error message indicates that access has been blocked by Conditional Access policies and the access policy does not allow token issuance.
The Solutions:
Solution 1: Conditional Access policies
You can obtain detailed information about the failure from within your Azure portal:
1. Navigate to the “Sign-in events” page.
2. Click on “User sign-ins (non-interactive).”
3. Locate your event with the status “Failure.”
4. Click on the failure event to display a side bar with detailed information.
5. Click on the “Conditional Access” tab within that detail popout.
Here, you will find the policy that caused the block, which you can then review.
It may be the case that your application is violating a rule that cannot be modified. In such situations, consider adjusting your application’s operation rather than attempting to alter security rules to suit your needs.
Solution 2: Modify Conditional Access Policies
To address the issue where access to Logic App is blocked due to Conditional Access policies, follow these steps:
- Sign in to Azure Active Directory with an account that has Global Administrator privileges.
- Navigate to Security > Conditional Access.
- Review the existing policies and identify any that may prevent token issuance for the service principal used by Azure Data Factory.
- Modify the policy or create a new one to allow the service principal to issue tokens. Alternatively, you can exclude the service principal from the applicable Conditional Access policy.
- Save the changes to the Conditional Access policy.
- Retry the operation.
Refer to the following resources for more information:
- [Microsoft Docs: Conditional Access Policy to Block Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-access)
- [How to Secure an Azure Service Principal with Conditional Access](https://www.argos-security.io/2021/11/29/how-to-secure-an-azure-service-principal-with-conditional-access/)
Q&A
How can I resolve if error message is thrown: Access has been blocked by Conditional Access policies?
Review and modify Conditional Access Policy in Azure Active Directory to allow token issuance for the service principal used by ADF.
From where can I get more information about failure when Access has been blocked by Conditional Access policies?
Get details from Sign-in events
page in the Azure portal.
Video Explanation:
The following video, titled "Azure Logic Apps connect to Firewall Protected Blob Storage ...", provides additional insights and in-depth exploration related to the topics discussed in this post.
Protecting sensitive data is one of the most critical tasks when it comes to designing cloud applications. But sometimes this imposes ...
The following video, titled "Azure Logic Apps connect to Firewall Protected Blob Storage ...", provides additional insights and in-depth exploration related to the topics discussed in this post.
Protecting sensitive data is one of the most critical tasks when it comes to designing cloud applications. But sometimes this imposes ...