Users are attempting to connect to an application that uses Microsoft Entra ID as Identification Provider (SAML or OAuth IDP) and they receive an error "You cannot access this right now" with the description message "Your sign-in was succesful but does not meet the criteria to access this resource". 

The customer configured "Continous access evaluation" on the Microsoft Entra ID side.

The customer is using Dedicated IP on Cloud SWG to access the Microsoft Entra ID with a set of pre-defined ip addresses.

The "Continous access evaluation" features on the Microsoft Entra ID side blocks access per policy:

"when Microsoft Entra reevaluates the conditions, it denies access because the new location detected by Microsoft Entra is outside the allowed IP range." [1]

This Microsoft Entra ID feature is not compatible with Broadcom Cloud SWG Dedicated IP feature.

[1] https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation#exception-for-ip-address-variations-and-how-to-turn-off-the-exception