Question: One of our customers has activated an Azure AD conditional access policy, which means that some of our flows no longer work. They used a policy to control from which location users can log in from. Is there a way to get Power Automate/Apps and Azure Automation working with conditional access policies?
"message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and office365users is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: office365usercertificate. Correlation Id=fcdc9f20-992a-44f2-bbc5-38e8627de8fa, UTC TimeStamp=1/19/2022 7:49:18 AM, Error: Failed to acquire token from AAD:... "error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
The client has implemented Azure AD conditional access policies that restrict which locations or IP addresses a user can login from. When a user runs a flow that contains an Office 365 connector for example, the connector is configured to use the user’s login credentials. When the connector authenticates using the user’s credentials the conditional access policy “detects” that this login location is the Microsoft cloud (flows are executed in the Microsoft cloud) but the Microsoft Cloud IP addresses are not on a valid list of IP addresses that allow login. This is what is causing the error message during runtime.
Power Platform is one of the three Microsoft cloud offerings and is part of the
overall Microsoft cloud infrastructure. The three cloud offerings are: Power Platform, Microsoft 365, and Microsoft Azure. Microsoft 365 and Microsoft Azure are used heavily in Power Platform solutions. These Microsoft cloud offerings are operated out of Microsoft data centres and these data centres grouped into regions and geographies. However, Power Platform cloud services are not available in all existing Microsoft data centres. What regions are available for the Power Platform? Select the View Report button in Dynamics 365 and Microsoft Power Platform availability.
How to fix the Conditional Access Policy
The client should exclude the following IP addresses from the Azure AD conditional access policies:
(1) Requests from Power Platform use IP addresses that depend on the region and the environment in which the app or flow is located. Use the following IP addresses in your allow list to facilitate Power Platform requests:
(2) Some cloud flow may make calls that also come from IP addresses that are listed in the Logic apps documentation:
The flows are now working and the Power Platform developer will continue to monitor the flows.
What are Azure AD Conditional Access Policies?
With Azure AD Conditional Access Policies you can control who can access your MS 365 tenant and the conditions under which they are allowed access. For example, these policies can be used to require multi-factor authentication (MFA) or block access based on network location.
Conditional access policies define rules that determine when and how a user can access an application. Characteristics of the user’s session such as their IP address, location, device, and sign-in risk score are evaluated…These factors can also apply to certain activities such as whether a user is able to view documents in SharePoint Online, or view and download documents.
Numerous ways exist to restrict access to resources using conditional access policies. You can restrict who is allowed access to a resource, define which devices can be used to access resources, or control from what locations an app or service can be used. You can also add restrictions based on characteristics of the user logon; for example, if a user logs on from an unknown location, you can require them to authenticate with MFA even if the device itself would normally be trusted.Office 365 for IT Pros 2022 Edition (January 2022), page 96.
Using Conditional Access Policies in Report Only Mode
One of the challenges with deploying Conditional Access Policies is determining the impact on end users. While creating Conditional Access Policies can be very straightforward, as they grow in number policies can become complex and difficult to predict how new policies may affect existing ones. It is also very easy to misconfigure a policy resulting in a negative impact on users and their applications. To help admins gain insights into the effects of these policies, Conditional Access policies can be configured in “Report Only” mode:
As you begin building conditional access policies, you must be careful not to inadvertently impact end user access to workloads and other applications. To help with this, Azure AD allows you to enable conditional access policies in report-only mode. When a conditional access policy is enabled in report-only mode, you will be able to see the expected effect of the policy when you review the Azure AD sign-in logs. The end user will not be affected since the policy is not fully enabled.Office 365 for IT Pros 2022 Edition (January 2022), page 99
(1) What regions are available? Select the View Report button in Dynamics 365 and Microsoft Power Platform availability.
(2) Intelligent policies for granular access control – Keep your workforce secure and productive by enforcing granular access control with real-time adaptive policies.
(3) Power Platform Administration: IP address configuration – https://docs.microsoft.com/en-us/power-automate/ip-address-configuration
(4) Limits and configuration reference for Azure Logic Apps – https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config?tabs=azure-portal#firewall-configuration-ip-addresses-and-service-tags
(5) Set up Azure AD Conditional Access – If you’re using Conditional Access polices to limit access to Power Automate and it’s features, the following apps must be included in Cloud apps policy application: Microsoft PowerApps and Microsoft Flow. See https://docs.microsoft.com/en-us/power-platform/guidance/adoption/conditional-access
(6) Managed connectors outbound IP addresses: Suppose you have an environment with strict network requirements or firewalls that limit traffic to specific IP addresses. If you use managed connectors or custom connectors in Azure Logic Apps or Microsoft Power Platform, your environment or firewall must allow access for the outbound IP addresses used by these connectors in your datacenter region. Otherwise, requests sent by these connectors won’t work. See: Managed connectors outbound IP addresses | Microsoft Docs.