Conditional access not working with only scope
Occasional Visitor

I set conditional access policy to block all the app and sign-in. But if my request URL like below only contains the scope for OAuth 2.0, then it can obtain the token successfully without any block error.

But if we add openid in URL, it can pop up the block error as expected.

Could anyone help confirm if it is by design or real bug?{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6...

0 Replies