Overview #
To prevent administrators from accidentally denying access to all users in an Azure Active Directory (Azure AD) tenant, Azure AD includes a validation check for new conditional access policies. If the policy includes an action that would block access for all users, the policy will fail validation and will not be deployed. This ensures that administrators do not lock themselves out.
If you are encountering the error message “1032: ConditionalActionPolicy validation failed due to BlockEveryonePolicy” while attempting to deploy a conditional access policy in Azure AD using MSPMagic, you can easily resolve the issue by including a user in the ExcludeUsers field. We recommend using a variable to populate the value.
Resolution #
Follow these steps to add a user to the ExcludeUsers field
Note – this can also be done using a group variable targeting the ExcludeGroups field
Part 1 – Create a managed variable #
- Open the variable manager
- Click + Add New Variable
- Enter a value in the name field eg ‘Break Glass Account’ and set the type to User
- Assign at least one user to the variable for each tenant you plan to use this policy for
- Click Save
Part 2 – Assign the managed variable to the ExcludeUsers field #
- Open the Policy Manager and locate the policy
- Click on the policy to open the policy flyout
- Click next until you see the policy data
- Click on the Edit Mode button to edit the document
- Click on the pencil icon next to ExcludeUsers
- Scroll through the list of managed variables until you find the variable created in Part 1 and click Save. The variable should now appear in the ExcludeUsers section of the policy.
- Click Next on the policy flyout and then click Finish to apply the changes.
Part 3 – Reapply the policy to the tenant #
If the policy has been applied directly to the tenant and not via a template, remove the policy from the tenant and then apply it again. It should now apply.
If the policy has been applied to a tenant via a template, go to the tenant inside MSPMagic and click Run Automation. The policy should now be applied.
If you are still unable to apply the policy after following these steps, open a support ticket from the Assistance page inside MSPMagic.