Mulitfactor authentication with conditional access in Azure Active Directory for custom app

Question

We have a custom web application which is hosted on a Hetzner server. The users get redirected to Azure AD to login when they want to access the site. Our goal is to enable MFA only for this application but it does not work. There is only normal login but no need for second factor.

We have added a custom cloud app in Azure AD and configured a policy for this app with MFA activated (no matter which client, location, etc.). When MFA is activated globally it works and the users have to enable/use second factor to get logged in by Azure AD. But with the policy it does not work. The What-If tool says, that the policy is used. The Azure AD has a P2 license and for testing one user also has a Cloud App Security License.

Does anyone know why the conditional access rule is not taken into account?

Answer 1

Finally we found a solution for our web application. Our application uses response_type code and used scope user.read when redirecting to Azure AD. We have added openid to scope and now the conditional access policy is executed.

I don't know why this fixes the issue, but maybe someone also falls into this trap and at least finds a solution.

Answer 2

I tested at my side, and everything was fine. Here is my conditional access setting:

1. Select users and groups

2. Choose the application

3. Set the grant access control

4. Enable the policy

Finally, when I tried to sign in to the web application, I will be asked to provide additional information. But, for other apps (Azure portal, Office portal and so on), I can still directly sign in.