SOLVED

Conditional Access Policy: Only allow access to a limited set of applications

Super Contributor

We have a group of users for which we like to limit the applications they can sign in to, using conditional access.

 

That should be easy with Conditional Access we thought, just block access and exclude the five applications they need. But we ran into an issue with MFA...

 

The users are unable to set/change their MFA settings because myaccounts.microsoft.com is also blocked and cannot be added as an excluded application.

 

It is not available in the GUI, and we're unable to add it using the PS/Graph. 

 

Any suggestions on how to solve this? Thanks! 

4 Replies

Good question, had to try it out to see the behavior. Let me know if you find something, I will ask around as well.

 

@bart vermeersch I reckon the 'workaround' in the somewhat associated conversation might fix this too. Still I have asked a couple of identity/security experts about this. *update* I can now access myaccount.microsoft.com just not the 'security info' submenu. The app name now being 'My Access' in the block details (previously 'My profile' app blocked).

best response confirmed by bart vermeersch (Super Contributor)
Solution

@bart vermeersch I've got replies and it doesn't seem possible, not now at least. When using the 'manual approach' with the apps I could access myaccount.microsoft.com and change the password, but not enter security info, always blocked at "My access" app.

@ChristianJBergstrom that's a bummer but thank you for asking around!

No worries. Will return and reply if I hear anything else (please do that too). Cheers!