MicrosoftMicrosoftFor now I asked developers to to refactor their code, and make 2 login buttons - each with their app registration. One for internal users, and one for the external nonMFA.
Since it was activated for us around March 20 (the announcement), we are in a bit of a hurry. The May 13th does niot apply to us it seems.
What is the "Windows Azure Active Directory" app ? Will excluding that really work ? What are the side effects ? Will I disable MFA from more than just the excluded apps ?
BTW: How will 3 work ? If I have MFA on all apps in another ?
I have User.Read and User.Read.All triggering the MFA
Windows Azure Active Directory, application ID: 00000002-0000-0000-c000-000000000000
Is a default application in each Entra tenant that is used to in Conditional Access evaluation of the low-privilege scopes that are affected by this change
(openid, profile, user.read, etc)
Excluding that app would (to my understanding) effectively "nullify" / "cancel out" this change, and keep the behavior as it was before the change. Which obviously is NOT a recommended path forward, but could perhaps work as a workaround until you have a better fix in place that allows.
Please note that excluding this app may also remove MFA requirement from any older/legacy self-developed apps that are still using the "Azure AD Graph API" instead of the "Microsoft Graph" API
(Azure AD Graph API is currently deprecated and slowly being retired, so ideally there should not be anything using it anymore)
--
After further investigation into my previous thought on option3 i realize it wont work as CA is additive and the "most restrictive" condition wins, which in that case would be the MFA, not the grant access from the new policy, so dont mind that option, i kind of wrote that out of my head thinking it would apply in a reversed order for some reason.
-
