Forum Discussion

WF-PHG's avatar
WF-PHG
Occasional Reader
Oct 03, 2025

CA policy Application not found in Target Resources

Hi,
We have a CA policy for some external users (users created in AD and synked to Entra ID) that block access to everything in M365 except Azure Virtual Desktop (Resource ID: 9cdead84-a844-4324-93f2-b2e6bb768d07) and Security Info (for MFA setup).

I read about Windows App, that it will replace the "Remote Desktop" app and it's web interface https://client.wvd.microsoft.com/arm/webclient/.

So I tried to use the new Windows App web interface (https://windows.cloud.microsoft) with my external test user, but I can not log on. I get a screen that I don't have access.

Checked the sign in logs and found that I try to log on to resource called "Windows 365 Portal".

Test - Logging on using the Windows App installed on a PC:
Application: Windows 365 Client
Application ID: 4fb5cc57-dbbc-4cdc-9595-748adff5f414
Resource: Azure Virtual Desktop
Resource ID: 9cdead84-a844-4324-93f2-b2e6bb768d07

Test - Logging on using the Windows App web interface (https://windows.cloud.microsoft/):
Application: Windows 365 Portal
Application ID: 3b511579-5e00-46e1-a89e-a6f0870e2f5a
Resource: Windows 365 Portal
Resource ID: 3b511579-5e00-46e1-a89e-a6f0870e2f5a


"Windows 365 Portal" does not exist in the list of applications that I can set as an exception in the CA policy. The closest I found was "Windows 365", but that does not solve the problem (different Resource ID).


What to do?

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Oct 04, 2025

    May consider the following as workarounds:

     

    1. Use the “All Cloud Apps” Targeting

    • Temporarily switch your CA policy to target “All cloud apps” and then use the “What If” tool in Entra ID to simulate sign-ins and identify which policies are triggered by the Windows 365 Portal.
    • This helps confirm whether the app is being blocked due to missing targeting or session controls.

    2. Manually Add the App ID via PowerShell or Graph API

    • If the Entra UI doesn’t expose the app, you can manually add the Application ID (3b511579-5e00-46e1-a89e-a6f0870e2f5a) to your CA policy using Microsoft Graph API or PowerShell.
    • This allows you to explicitly include or exclude the Windows 365 Portal even if it’s not visible in the UI.

    3. Use the Installed Windows App Instead

    • As a temporary workaround, instruct external users to use the installed Windows App rather than the web interface, since it correctly maps to the AVD resource ID already allowed in your CA policy.

Resources