Forum Discussion
Conditional Access Policy Blocks Guests users from Accepting the invitations. Unable to exclude
Hi Folks,
I'm trying to implement a Conditional Access Policy to "Restrict All Apps" except "SharePoint" for Azure AD B2B (Guests) accounts. The idea is simple - I only want SharePoint to be accessed/shared with guests so trying to implement strict security from all possible levels in AAD (CA Policy is just one part of it).
-The CA policy targets a specific group that includes all guests
-All apps are blocked except "SharePoint"
However, when guests try to accept the invitation, the request is being blocked with the following message.
Error: You don't have access to this. Your sign-in was successful, but you don't have permission to access this resource.
Azure AD Logs says the following app (Microsoft App Access Panel) is being blocked.
So I tried to exclude it but CA Policy search can't find it (Although its there in the Enterprise Apps by default)
Any ideas are greatly appreciated ! Thank you!
Unfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).
If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!
2 Replies
Unfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).
If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!I am experiencing the same issue after setting upa CAP to block all apps for Guests except Teams. I added MS Teams service, MyApps, Myprofile & O365 SPO online in exclusion list but guest accounts are being blocked when accessing Teams from my organization.
Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
User typeGuestCross tenant access typeB2B collaborationApplicationMicrosoft TeamsApplication ID1fec8e78-bce4-4aaf-ab1b-5451cc387264ResourceMicrosoft Teams Services
