This is an unexpected behavior MS doesn't admit. As soon as you have an exclusion in the CAP, other applications with a specific set of graph api permissions (I don't remember which ones, but they are 5 common api permissions) are excluded as well.
If you select all Cloud apps everything is ok. This is happening when your specific app is not selectable in the scope of the CAP.
MS suggested to add dummy API permissions to the app, but we tried and it didn't work. I hope they will fix it soon.
AAD Conditional Access Policy not applying to App Registration
I have recently registered an enterprise app in my tenant which is being used by users on MacOS and IOS devices to authenticate using their corporate identity. The conditions in the policy are below;
Specific users
MacOS and IOS platforms
Cloud app is specified
Grant access only when authenticated with MFA
Within the AAD sign in logs, i'm not seeing that the CAP is being applied - looks like the conditions are not matching with the Application name and therefore is not applying the conditional access policy.
However...
When selecting all cloud apps in the CAP MFA is being required at sign in and the policy shows it's been enforced as the CAP has matched with the application name - this is also the same results when I select the newly registered app and other built in apps such as O365 - the CAP is then being applied.
The resource ID listed in each of the sign ins are as shown below;
Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000
The resource id: 00000003-0000-0000-c000-000000000000 - is actually for the GraphAggregratorService - I have set specific application permissions along with delegated API permissions for the app registration but I'm still receiving the same results.
Without the ability to see any kind of advanced monitoring when the users attempts to sign in and not being able to see exactly what's happening at the backend i'm struggling to understand why the CAP policy to enforce MFA does not work when just assigned to this single cloud app but when combined with others it does work.
Any thoughts would be appreciated?
1 answer
Sort by: Most helpful
-
Fabbris Christian 5 Reputation points
2023-03-02T20:17:46.9+00:00