question

anonanonanon-5472 avatar image
0 Votes"
anonanonanon-5472 asked JarvisSun-MSFT rolled back

How to exclude an enterprise app from conditional access policy

So we have a CA policy that is designed to disallow access to Office365 cloud from non-approved devices. Specifically:
- Applies to all users
- Cloud app: Office365
- Conditions: Platforms: iOS, Android; Client apps: Mobile apps and desktop clients
- Grants: Require MFA, Require approved client app

This works great. People on iPhones, for example, have to use MS Outlook to access their O365 based email.

However, we'd like to allow some 3rd party apps to connect to Office. For example, we use Rocketbooks and I'd love to let the iOS Rocketbook app send scans to OneNote. Easy enough I thought: just add Rocketbook to the "excluded" list for cloud apps. This doesn't work. When I try to set up OneNote as a "destination" in the Rocketbook iOS app, it tells me "you can't get there from here. It looks like you're trying to open this resource with an app that hasn't been approved..."

Looking at the sign in log, under conditional access, I see a failure for the above policy. What seems (to me) to be the issue is that it finds a match under application assignments for Rocketbook. But I excluded Rocketbook, so why is it matching?

The relevant details of the failed sign in are below:
- Failure reason: Application does not meet the conditional access approved app requirements.
- Application: Rocketbook
- Application ID: c538f3e2-0bd2-467b-a9b4-9894989d4db0 (this matches the enterprise application we have set up in AAD, and the app I excluded in the policy)
- Resource: Microsoft Graph
- Client app: Mobile Apps and Desktop clients

I also tried excluding OneNote from the policy and that doesn't work either. Am I interpreting the failure details incorrectly? The only way this makes sense to me is if the "Rocketbook" being reported in the failure log is the client app, and CA policies aren't able to target specific client apps. If that is the case, is there any other way to do this without removing the "require approved client app" requirement? I couldn't think of any way to create multiple overlapping policies to enforce the first requirement we have while allowing these kind of 3rd party client apps.

azure-ad-conditional-accessmem-intune-conditional-access
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

One additional data point... we had a similar ask to be able to connect iOS Calendars to Office. I excluded the "Apple Internet Accounts" cloud app from the policy in the OP and that worked fine. The successful sign on event shows "Apple Internet Accounts" as the application, just like "Rocketbook" shows up for the failure. Why does one work but not the other?

0 Votes 0 ·

@anonanonanon-5472 Thanks for posting in our Q&A.
I have not meet such a problem. Maybe this article on Conditional Access policies can explain your doubts.

In order to quickly identify the root cause. It is better to create an online support ticket to handle this issue. It is free. Here is the online support link and hope it will be resolved as soon as possible.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support
Thanks for your understanding.

1 Vote 1 ·

0 Answers