question

ChatoMller-0055 avatar image
0 Votes"
ChatoMller-0055 asked bn8959 answered

Exclude Microsoft Authenticator App in Conditional Access Policy

Hi. I have an CAP blocking all cloud apps, and excluding a few apps.
This is blocking Microsoft Authenticator App causing users not to approve their MFA request.
I have not found a way to exclude Microsoft Authenticator App from the Conditional Access Policy.
Workaround is to change CAP to not include all cloud apps, but manually select apps to be included in the policy.

Anyone have any ideas if its possible to exclude Authenticator App from an CAP configured to include all cloud apps?

microsoft-authenticatorazure-ad-multi-factor-authenticationazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattMaher-1690 avatar image
1 Vote"
MattMaher-1690 answered ChatoMller-0055 commented

Conditional Access Policies will not let you exclude 1st party applications. There is a user voice request out there to allow CAPs to distinguish the 1st party applications and allow your scenario. Could you remove the licenses to all the 1st party apps that you do not want users to get to (e.g. SharePoint, Outlook, etc), and exclude the 1st party apps from your Block All policy? Another option you could look at is see if Cloud App Security could do something similar, but I haven't tried that.

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-access-support-to-microsoft-app-ac

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Matt. Cloud App Security will be able to handle the app, however not sure if it will allow me to exclude it in an CAP though. Likely not.
I can manually register the Microsoft Authenticator App in Azure AD and it will become available in CAP to be included or excluded, however I guess this will not work since the app ID for my AAD registered app will not match the ID of the app end users are using, and as far as i know you can't change the App ID for an registered AAD app?

0 Votes 0 ·

How did you manually register the Authenticator App in AAD? The MS owned apps all have App IDs that should be constant across all tenants:
https://github.com/Seb8iaan/Microsoft-Owned-Enterprise-Applications/blob/main/Microsoft%20Owned%20Enterprise%20Applications%20Overview.md

0 Votes 0 ·

Sorry for being unclear. I can manually register an app with that name, however the appID will differ from the real app used by users thus not going to work in any CAP. I believe its a shame that Microsoft can't make their Authenticator App and other applications/services available to be added into Azure AD to allow using them in CAP rules. Guess there is a reason for this, although I can't currently see it.

0 Votes 0 ·
bn8959 avatar image
0 Votes"
bn8959 answered

I am having this issue too. I need to allow a selection of users to only access Azure Virtual Desktop app (but require MFA). I can create a CA policy to include All Apps, and Exclude Azure Virtual Desktop, with an action of Block - but the users cant then approve the MFA prompts in their Authenticator App as it blocks them access to that app. The 'Microsoft Authenticator App' cant be exempted from a CA policy (but Azure Virtual Desktop, for example, can).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.