About Setting Conditional Access Policies in Microsoft Entra ID

Microsoft

Setting up a conditional access policy for Microsoft Entra IDs is often problematic because of the scope of the setting.
For example, we often see this feature used by tenant administrators to prevent a tenant member user from seeing information about other users.
However, restricting the Target Resource to the Windows Azure Service Management API for this purpose blocks access to many other functions.

We have tried to exempt the Azure Lab Service from this restriction using the Manage Custom Security Attributes feature of the application with the above restriction in place, but it doesn't seem to work.
We have verified Conditional Access through the following steps and found that it is hard to configure policy to meet this requirements.

(1) Add the application [Azure Lab Services Portal] to Entra ID with the following command
* New-MgServicePrincipal -AppId "835b2a73-6e10-4aa5-a979-21dfda45231c"

(2) Define "Custom security attributes" set (Attribute set name: test, attribute: ca)

(3) Set the custom security attributes value for "Azure Lab Services Portal" (value: yes)

(4) Specify the following rule for [Include] application filter in CA block policy
* CustomSecurityAttribute.test_ca -eq "yes"
-> Access to labs.azure.com was blocked. (apply policy as expected)

(5) Specify "Windows Azure Service Management API" for [Include] apps and the same rule as (4) in [Exclude] app filter in CA policy
-> Access to labs.azure.com was blocked because access to "Windows Azure Service Management API" resource occurred.


We know that there are many applications that use [Windows Azure Service Management API] resources.
However, we believe that more users would be satisfied if it were possible to exclude only specific applications from this restriction, with the restriction set by specifying [Windows Azure Service Management API] as a target resource in the conditional access policy.

We appreciate your consideration of the above.

0 Replies