Mobile approval app notifications delayed after Azure AD authentication policy update

BPM Microsoft Power Platform
, , , , , , , ,
1

We’re experiencing significant delays in push notifications for our Power Apps mobile approval application after our IT team updated Azure AD conditional access policies. Approvers are receiving notifications 2-4 hours late, which is causing us to miss approval SLAs.

The mobile app is built on Power Apps and integrates with Power Automate approval workflows. Previously, approvers received notifications within 1-2 minutes of a request being submitted. After the Azure AD policy update (which added multi-factor authentication requirements and device compliance checks), notification delivery has become unreliable.

The workflow shows approvals as “Pending” immediately, and the approval requests are visible in the app when users manually open it, but the push notifications arrive hours later or not at all. Our approval SLAs require response within 4 hours, and these delays are causing breaches. Has anyone dealt with Azure AD conditional access policies affecting mobile notification delivery in approval workflows?

2

Here’s the comprehensive solution addressing all three focus areas:

1. Azure AD Conditional Access - Policy Refinement: The root cause is your conditional access policy enforcing 4-hour re-authentication for all Power Platform services, including the notification delivery service. You need to create a tiered policy approach:

a) Identify the Power Platform service principals in Azure AD:

  • Power Apps: 4be51a28-d7a9-4576-b5c8-9d72d8d5e5f0
  • Power Automate: 7df0a125-d3be-4c96-aa54-591f83ff541c
  • Power Platform Notification Service: check your tenant’s enterprise apps

b) Create a new conditional access policy specifically for mobile approval workflows:

  • Name: “Power Apps Mobile - Approval Notifications”
  • Users: Include approval groups
  • Cloud apps: Select Power Apps and Power Automate
  • Conditions: Device platforms = iOS and Android
  • Grant: Require MFA on first sign-in, then allow 8-hour session
  • Session: Sign-in frequency = 8 hours (not 4)

c) Exclude the notification service principal from strict re-authentication:

  • In your main conditional access policy, add exclusion for service principals
  • This allows the notification service to maintain persistent tokens
  • Users still authenticate with MFA, but background services can push notifications

2. Mobile Notification Delivery - Service Configuration: Optimize your Power Apps mobile notification configuration:

a) Verify notification connection settings in Power Apps:

  • Navigate to your mobile app → Settings → Notifications
  • Ensure “Push notifications” is enabled
  • Verify the connection uses a service account, not individual user credentials

b) Configure Power Automate approval flow for optimal delivery:

  • Use “Send push notification v2” action (supports better retry logic)
  • Set priority to “High” for approval notifications
  • Add recipient’s mobile device ID explicitly (don’t rely on user lookup)
  • Enable “Require acknowledgment” to track delivery

c) Implement notification fallback strategy:

  • If push notification fails, send email notification after 5 minutes
  • Send SMS notification after 15 minutes (for critical approvals)
  • Log all notification attempts to tracking table

d) Test notification delivery:

  • Use Azure Application Insights to monitor notification service calls
  • Check for 401 authentication errors in the logs
  • Verify token refresh is succeeding for the service principal

3. Approval Workflow SLA - Compliance Assurance: Ensure your approval workflows meet SLA requirements despite authentication constraints:

a) Implement SLA monitoring and escalation:

  • Add parallel branch that waits 1 hour after approval request
  • If no response, send escalation notification to approver’s manager
  • If no response after 3 hours, send urgent notification via multiple channels
  • Auto-approve low-value requests if SLA breach imminent (with audit log)

b) Optimize workflow for mobile approvers:

  • Add “Quick Actions” in notification that allow approve/reject without opening app
  • Use adaptive cards in notifications with embedded approve/reject buttons
  • This reduces dependency on app authentication for simple approvals

c) Configure device compliance requirements appropriately:

  • If requiring managed devices, ensure approvers’ phones are enrolled in Intune
  • For BYOD scenarios, use app protection policies instead of full device compliance
  • This reduces authentication friction while maintaining security

d) Monitor and report SLA performance:

  • Create Power BI dashboard tracking notification delivery time
  • Alert if average delivery time exceeds 5 minutes
  • Track approval response time by approver (identify bottlenecks)
  • Report SLA breach rate to stakeholders weekly

Immediate Actions:

  1. Contact your Azure AD admin to implement the tiered conditional access policy today
  2. Extend token lifetime for Power Apps mobile from 4 hours to 8 hours as interim fix
  3. Add email notification fallback to your approval flows (takes 30 minutes to implement)
  4. Test notification delivery after policy changes with a pilot approver group

Long-term Recommendations:

  • Consider implementing Intune app protection policies for better security without notification impact
  • Use Azure AD Privileged Identity Management for high-value approvals requiring stronger authentication
  • Implement approval delegation feature so approvers can assign backups during unavailability
  • Regular review of conditional access policies to ensure they don’t conflict with business processes

The key is balancing security requirements with operational needs. The 4-hour re-authentication policy is too strict for approval workflows with tight SLAs. Extending to 8 hours and excluding notification services from the strictest policies will restore notification delivery while maintaining security compliance.

3

We had this exact issue last month. The solution involves configuring your conditional access policy to exclude the Power Platform notification services from the strict authentication requirements. In Azure AD, you can create a separate policy for the Power Apps service principal (App ID: 4be51a28-…) that allows persistent tokens for push notifications while still enforcing MFA for interactive user sessions. This way, notifications flow immediately but users still authenticate securely when using the app.

4

I checked with our security team and yes, the new policy requires sign-in verification every 4 hours with MFA for unmanaged devices. Most of our approvers use personal phones, so they’re hitting this requirement frequently. Could this be causing the notification service to fail authentication and delay delivery until the user manually opens the app?

5

Beyond the conditional access issue, check your Power Automate flow configuration. Make sure you’re using the “Send push notification” action correctly with the proper connection reference. If the connection uses a service account that’s also subject to the conditional access policy, notifications will fail. Consider using a dedicated service principal for workflow notifications that’s exempt from the user-focused MFA policies.