Users Cannot Change Passwords – Conditional Access Blocking Office 365 Portal (Non-Admin Scenario)

While the Microsoft 365 (Office 365) Portal (App ID: 00000006-0000-0ff1-ce00-000000000000) is not technically an “admin-only” portal, it shares app ID overlaps with some admin interfaces and underlying services — including those used during:

Password changes via Ctrl + Alt + Del
SSPR (Self-Service Password Reset)
MFA registration and recovery

So when your CA policy targets "Microsoft Admin Portals," it ends up catching Microsoft 365 Portal and related authentication flows that route through shared backends — even if the intent is only to block actual admin consoles (like Azure Portal, Microsoft 365 Admin Center, etc.).

I prefer to use “Cloud apps or actions” targeting carefully and avoid using “Microsoft Admin Portals” as an app group if you need fine-grained control.

Option 1: Use explicit app inclusion instead of “Microsoft Admin Portals” built-in group
Instead of selecting “Microsoft Admin Portals,” manually select only the specific admin apps you want to block:

Microsoft Azure Management (Azure Portal)

Microsoft 365 Admin Center

Exchange Online Admin

SharePoint Admin etc.

Option 2: Exclude Microsoft 365 Portal explicitly
Suppose you want to continue using “Microsoft Admin Portals” as a group. In that case, you can exclude the Office 365 Portal (App ID above) from the policy; however, this approach is less precise and may not always behave consistently across tenants.

Please read this link; it also advises excluding the suite.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#office-365

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps