Application missing in Conditional Access exclusion

Christoffer Liberg 21

Hi,

I want to restrict an account to only be allowed to access certain applications. For this reason I have created a conditional access policy that targets the account and all applications. As exclusion I've added the applications that should be allowed. The policy is set to Block.

The problem is that I'm unable to find a certain application when searching the exclusion list under Target resources. When checking the Enterprise applications I can find it and also in the sign-in logs. The application that I can't find is "Dynamics Lifecycle services" with Application Id "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0"

I know I've had other cases where applications are not found, but I don't know for what reason.

Any ideas?

Navya 3,915 Reputation points Microsoft Vendor

2024-04-01T04:26:10.6733333+00:00

Hi @Christoffer Liberg

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Accepted answer

Andy David - MVP 141.6K Reputation points MVP

2024-03-27T15:39:40.8766667+00:00

not every app is surfaced to Conditional Access, it could be that Dynamics Lifecycle services is embedded with Dynamics 365 or the Azure mgmt api or not part of either and you cant scope it at all.

One thing you could do is set the CA policy to Report Mode and then scope to one of those target apps and test

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management
Please sign in to rate this answer.
Christoffer Liberg 21 Reputation points

2024-03-28T05:14:41.4466667+00:00

Hi,

Thanks for the reply!

We are currently testing that approach to see if another application will exclude it.

Do you know if there is certain criteria an application has to meet in order to show up in the exclusion list? I haven't seen any, but it would be nice to know.

Andy David - MVP 141.6K Reputation points MVP

2024-03-28T16:54:02.24+00:00

Yea, there is some explanation here. Another example of one is Defender. You cant scope to that either as its integrated so deeply with other apps.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps
Sign in to comment

1 additional answer

Marcin Policht 10,675 Reputation points MVP

2024-03-27T16:35:31.8333333+00:00

Make sure to register the app as a Web app

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Christoffer Liberg 21 Reputation points

2024-03-28T05:20:27.76+00:00

Hi,

Thanks for the reply!

How would I do that?

This is not an app registration that I have registered, it's registered in another tenant by Microsoft I would assume. I can find the Enterprise application in multiple tenants at least. The application id is "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0**".**

Marcin Policht 10,675 Reputation points MVP

2024-03-28T16:42:39.3833333+00:00

If so, I don't believe you'll be able to integrate the app with Conditional Access

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Christoffer Liberg 21 Reputation points

2024-04-02T06:43:31.41+00:00

You mean you can only target applications that you've yourself registered as an app registration in your own tenant? I can see multiple applications that I haven't registered as an app registration.

I do understand that I would need to register the application as an Enterprise application (app registration created in another tenant) when it's not there by default. In this case I can see it as a registered Enterprise application.
Sign in to comment