MicrosoftMicrosoftRunning into a challenge with the new Conditional Access behavior for “All cloud apps” + exclusions.
Consider a scenario where organizations exclude apps like Microsoft Intune Company Portal (Linux), Jamf Pro macOS enrollment, and Azure AD connectors for Jamf (macOS login / enrollment flows) from CA policies (e.g., device compliance or MFA).
With the new behavior, sign-ins are still impacted.
The reason: Conditional Access now evaluates all resources involved in the request, not just the primary app. These flows depend on Microsoft Graph (e.g., openid, profile, User.Read), and since Graph isn’t excluded, the policy is enforced.
This introduces challenges for common scenarios:
Curious how others are approaching this:
What’s the recommended design pattern to support these enrollment/login flows without weakening Conditional Access posture by exluding primary resources such as Microsoft Graph and Windows Azure Active Directory?
Ouch, I think TD Synnex just started rolling this out and borked ALL of their sharepoint shares. Heads should be rolling at Microsoft AND Synnex for this one. I lost thousands of dollars today because I can't download something I NEED from their sharepoint site and they aren't willing to send the xlsx file like everyone else does in the world. They just lost my future business. I wonder how much this eff up will cost them from other clients leaving.
