Jun 28 2022 09:48 PM - edited Jun 28 2022 09:51 PM
Hi Folks,
I'm trying to implement a Conditional Access Policy to "Restrict All Apps" except "SharePoint" for Azure AD B2B (Guests) accounts. The idea is simple - I only want SharePoint to be accessed/shared with guests so trying to implement strict security from all possible levels in AAD (CA Policy is just one part of it).
-The CA policy targets a specific group that includes all guests
-All apps are blocked except "SharePoint"
However, when guests try to accept the invitation, the request is being blocked with the following message.
Error: You don't have access to this. Your sign-in was successful, but you don't have permission to access this resource.
Azure AD Logs says the following app (Microsoft App Access Panel) is being blocked.
So I tried to exclude it but CA Policy search can't find it (Although its there in the Enterprise Apps by default)
Any ideas are greatly appreciated ! Thank you!
Jun 28 2022 11:19 PM - edited Jun 29 2022 06:06 PM
Jun 28 2022 11:19 PM - edited Jun 29 2022 06:06 PM
SolutionUnfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).
If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!
Jun 28 2022 11:19 PM - edited Jun 29 2022 06:06 PM
Jun 28 2022 11:19 PM - edited Jun 29 2022 06:06 PM
SolutionUnfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).
If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!