Forum Discussion

RobertEllis's avatar
RobertEllis
Copper Contributor
Apr 15, 2021

Exclusion of Teams from Conditional Access Policy does not work?

We want to implement a CA policy which enforces MFA when users are signing in outside our trusted networks, except for MS Teams, which users should be able to Sign in to regardless of location.

We also need for ActiveSync to work.

We have configured a Policy accordingly.

In "Users and Groups" we have some users included (by Group) and others excluded (by Group)

In "Clouds app and actions" we have Include "All cloud apps" and Exclude "Microsoft Teams"

In Conditions, under Locations, we have "Any location and all trusted locations excluded"

In Conditions, under Client apps, we have Configured ("Yes") and the 2 checkboxes for "Modern authentication clients" are checked (including ActiveSync)

 

We have tested the Policy from an Untrusted location in Report-only mode. When logging in to Teams, the Policy is matched, despite the explicit exclusion of Teams. Reviewing the Sign In, specifically under Policy details > Assignments > Application > Microsoft Teams: we see "Matched".

 

In order to troubleshoot we have simplified the policy by turning Off the Client apps configuration Condition. The outcome is the same. 

 

Additionally, we have tried adding "Office 365 Exchange Online" and "Office 365 SharePoint Online" as exclusions (together with Teams). We though this might work because there is plenty of anecdotal evidence suggesting interdependencies between these 3 Apps. However, this also has not altered the outcome.

 

Is there any reason that excluding Teams in a Conditional Access policy does not work as it (ostensibly) ought to? 

 

 

 

 

  • AlexMM-QC's avatar
    AlexMM-QC
    Copper Contributor
    Same issue here.
    We want t block access to all cloud apps except Teams.
    Not working still.
    • Vladimir_Kalinichenko's avatar
      Vladimir_Kalinichenko
      Copper Contributor
      Many thanks to IT Support account for the trick with adding Skype for Business into exclusion list. It helped for us! Now users can open Teams via teams.microsoft. com on unmanaged devices...
      Of course, we had to add Exchange Online into exclusions too to make Teams working.. BUT! In the parralel we turn on access control policy for Unmanaged devices to "Block Access" mode directly in Sharepoint admin center and these 2 policies works fine together. Teams web is working but there is no access to Sharepoint/Onedrive and no files in Teams file tabs...

      It was our goal to allow Teams and Outlook but without any Onedrive/Sharepoint access..
  • Yeah the interdependencies of Teams with Exchange and SP are likely at play here. The only way this could maybe work is by setting the exclusion to be the Office 365 app, but then this is also going to negate aspects of what you are trying to achieve. Lot's of other threads on this subject but no definitive solution.

Resources