SOLVED

Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"

%3CLINGO-SUB%20id%3D%22lingo-sub-2779133%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policies%2C%20Guest%20Access%20and%20the%20%22Microsoft%20Invitation%20Acceptance%20Portal%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2779133%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Identity%20Experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20expanding%20access%20to%20our%20M365%20resources%20to%20Guests%20and%20as%20such%20we%20are%20modifying%20our%20existing%20CA%20policies%20to%20provide%20the%20appropriate%20restrictions%20and%20controls.%26nbsp%3B%20We%20are%20using%20principles%20of%20least%20privilege%20best%20practices%20to%20BLOCK%20All%20Cloud%20Apps%20for%20Guests%20(With%20Exceptions)%20and%20REQUIRE%20MFA%20for%20Guests.%26nbsp%3B%20We've%20followed%20a%20number%20of%20blogs%20detailing%20the%20same%20essential%20set%20of%20policies%20%2F%20well-known%20identity%20pros%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdanielchronlund.com%2F2020%2F11%2F26%2Fazure-ad-conditional-access-policy-design-baseline-with-automatic-deployment-support%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdanielchronlund.com%2F2020%2F11%2F26%2Fazure-ad-conditional-access-policy-design-baseline-with-automatic-deployment-support%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20idea%20is%20to%20allow%20guests%20to%20access%20Office%20365%20and%20My%20Apps%20(and%20AIP)%20but%20block%20all%20others%26nbsp%3Bplus%20require%20MFA%20for%20guests.%26nbsp%3B%20Seems%20pretty%20straightforward%20and%20again%20we've%20seen%20this%20implemented%20and%20suggested%20by%20a%20number%20of%20experts.%26nbsp%3B%20This%20doesn't%20work%20however%20and%20we've%20had%20a%20colleague%20test%20this%20in%20a%20separate%20tenant%20with%20just%20these%20two%20policies%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20happening%20is%20that%20Guests%2C%20while%20redeeming%20their%20invitation%2C%20are%20triggering%20the%20BLOCK%20All%20Cloud%20Apps%20for%20Guests%20policy%20when%20they%20access%20the%20%22Microsoft%20Invitation%20Acceptance%20Portal%22.%26nbsp%3B%20This%20App%20is%2C%20unfortunately%2C%20one%20that%20cannot%20be%20excluded%20from%20CA%20policy%20(there%20is%20no%20target%20available%20for%20it).%26nbsp%3B%20Guests%20receive%20the%20%22You%20don't%20have%20access%20to%20this%22%20error%20with%20the%20AppName%20%3D%20Microsoft%20Invitation%20Acceptance%20Portal%20and%20error%2053003%20in%20the%20AAD%20sign-in%20logs%20(along%20with%20the%20fact%20that%20the%20BLOCK%20policy%20caused%20the%20failure).%26nbsp%3B%20What%20is%20also%20odd%20is%20that%20if%20the%20Guest%20returns%20to%20the%20invitation%20link%2C%20they%20can%20then%20complete%20the%20registration.%26nbsp%3B%20Something%20is%20off%2Fwrong%20and%20we're%20curious%20if%20anyone%20else%20has%20encountered%20this%20using%20these%20policies.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2779133%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2791524%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policies%2C%20Guest%20Access%20and%20the%20%22Microsoft%20Invitation%20Acceptance%20Portal%26amp%3Bq%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2791524%22%20slang%3D%22en-US%22%3EI%20am%20afraid%20this%20won't%20work%2C%20simply%20because%20the%20Microsoft%20App%20Access%20Panel%20and%20MyApps%20portals%20aren't%20available%20as%20a%20Cloud%20App%20within%20Conditional%20Access.%20There%20is%20a%20user%20voice%20vote%20available%20for%20this%20to%20be%20implemented%3A%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F33689335-add-conditional-access-support-to-microsoft-app-ac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F33689335-add-conditional-access-support-to-microsoft-app-ac%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20now%2C%20I%20would%20suggest%20you%20create%20a%20policy%20and%20block%20applications%20(e.g.%20Azure%20Portal)%20one%20by%20one%20instead%20of%20blocking%20all%20applications.%20Also%2C%20you%20can%20configure%20Conditional%20Access%20App%20Control%20If%20you're%20afraid%20guest%20and%20external%20accounts%20will%20abuse%20(print%2C%20etc.)%20protected%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2799648%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policies%2C%20Guest%20Access%20and%20the%20%22Microsoft%20Invitation%20Acceptance%20Portal%26amp%3Bq%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2799648%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F992200%22%20target%3D%22_blank%22%3E%40VTPatsFan2425%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAFAIK%20BilalelHadd%20is%20right%2C%20Conditionnal%20Access%20does%20not%20support%20these%20apps...%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20encountered%20the%20same%20issue%20for%20several%20of%20my%20clients.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EA%20workaround%20we%20used%20was%20simply%20to%20...%20not%20use%20MyApps%20for%20the%20guests%20(as%20they%20were%20using%20only%20Office%20365%20services).%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAs%20we%20were%20using%20custom%20tool%20to%20manage%20the%20guests%3A%20we%20change%20the%20%22%3CSPAN%3EinviteRedirectUrl%22%20to%20avoid%20the%20redirection%20to%20MyApps.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CSPAN%3EBut%20that's%20not%20the%20ideal%20behavior%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EMore%20info%20here%3A%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fredemption-experience%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fredemption-experience%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Finvite-internal-users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Finvite-internal-users%3C%2FA%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello Identity Experts,

 

We are expanding access to our M365 resources to Guests and as such we are modifying our existing CA policies to provide the appropriate restrictions and controls.  We are using principles of least privilege best practices to BLOCK All Cloud Apps for Guests (With Exceptions) and REQUIRE MFA for Guests.  We've followed a number of blogs detailing the same essential set of policies / well-known identity pros:

 

https://danielchronlund.com/2020/11/26/azure-ad-conditional-access-policy-design-baseline-with-autom...

 

The idea is to allow guests to access Office 365 and My Apps (and AIP) but block all others plus require MFA for guests.  Seems pretty straightforward and again we've seen this implemented and suggested by a number of experts.  This doesn't work however and we've had a colleague test this in a separate tenant with just these two policies enabled.

 

What is happening is that Guests, while redeeming their invitation, are triggering the BLOCK All Cloud Apps for Guests policy when they access the "Microsoft Invitation Acceptance Portal".  This App is, unfortunately, one that cannot be excluded from CA policy (there is no target available for it).  Guests receive the "You don't have access to this" error with the AppName = Microsoft Invitation Acceptance Portal and error 53003 in the AAD sign-in logs (along with the fact that the BLOCK policy caused the failure).  What is also odd is that if the Guest returns to the invitation link, they can then complete the registration.  Something is off/wrong and we're curious if anyone else has encountered this using these policies.  

 

Thanks in advance!

2 Replies
best response confirmed by VTPatsFan2425 (New Contributor)
Solution
I am afraid this won't work, simply because the Microsoft App Access Panel and MyApps portals aren't available as a Cloud App within Conditional Access. There is a user voice vote available for this to be implemented: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-acces...

For now, I would suggest you create a policy and block applications (e.g. Azure Portal) one by one instead of blocking all applications. Also, you can configure Conditional Access App Control If you're afraid guest and external accounts will abuse (print, etc.) protected data.

Hi @VTPatsFan2425

 

AFAIK BilalelHadd is right, Conditionnal Access does not support these apps... 

I encountered the same issue for several of my clients. 

 

A workaround we used was simply to ... not use MyApps for the guests (as they were using only Office 365 services).

As we were using custom tool to manage the guests: we change the "inviteRedirectUrl" to avoid the redirection to MyApps. 

But that's not the ideal behavior

 

More info here: 

- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience 

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/invite-internal-users