So we have a CA policy that is designed to disallow access to Office365 cloud from non-approved devices. Specifically:
- Applies to all users
- Cloud app: Office365
- Conditions: Platforms: iOS, Android; Client apps: Mobile apps and desktop clients
- Grants: Require MFA, Require approved client app
This works great. People on iPhones, for example, have to use MS Outlook to access their O365 based email.
However, we'd like to allow some 3rd party apps to connect to Office. For example, we use Rocketbooks and I'd love to let the iOS Rocketbook app send scans to OneNote. Easy enough I thought: just add Rocketbook to the "excluded" list for cloud apps. This doesn't work. When I try to set up OneNote as a "destination" in the Rocketbook iOS app, it tells me "you can't get there from here. It looks like you're trying to open this resource with an app that hasn't been approved..."
Looking at the sign in log, under conditional access, I see a failure for the above policy. What seems (to me) to be the issue is that it finds a match under application assignments for Rocketbook. But I excluded Rocketbook, so why is it matching?
The relevant details of the failed sign in are below:
- Failure reason: Application does not meet the conditional access approved app requirements.
- Application: Rocketbook
- Application ID: c538f3e2-0bd2-467b-a9b4-9894989d4db0 (this matches the enterprise application we have set up in AAD, and the app I excluded in the policy)
- Resource: Microsoft Graph
- Client app: Mobile Apps and Desktop clients
I also tried excluding OneNote from the policy and that doesn't work either. Am I interpreting the failure details incorrectly? The only way this makes sense to me is if the "Rocketbook" being reported in the failure log is the client app, and CA policies aren't able to target specific client apps. If that is the case, is there any other way to do this without removing the "require approved client app" requirement? I couldn't think of any way to create multiple overlapping policies to enforce the first requirement we have while allowing these kind of 3rd party client apps.