SOLVED

Conditional Access Policy Blocks Guests users from Accepting the invitations. Unable to exclude

Iron Contributor

Hi Folks, 

 

I'm trying to implement a Conditional Access Policy to "Restrict All Apps" except "SharePoint" for Azure AD B2B (Guests) accounts. The idea is simple - I only want SharePoint to be accessed/shared with guests so trying to implement strict security from all possible levels in AAD (CA Policy is just one part of it). 

 

-The CA policy targets a specific group that includes all guests 

-All apps are blocked except "SharePoint"

 

However, when guests try to accept the invitation, the request is being blocked with the following message. 

 

ManojKarunarathne_4-1656478090586.png

 

Error: You don't have access to this. Your sign-in was successful, but you don't have permission to access this resource.

 

ManojKarunarathne_0-1656478296527.png

 

Azure AD Logs says the following app (Microsoft App Access Panel) is being blocked. 

 

ManojKarunarathne_3-1656477918212.png

 

So I tried to exclude it but CA Policy search can't find it (Although its there in the Enterprise Apps by default)

 

ManojKarunarathne_2-1656477602779.png

Any ideas are greatly appreciated ! Thank you!

 

1 Reply
best response confirmed by Manoj Karunarathne (Iron Contributor)
Solution

Unfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).

If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!

1 best response

Accepted Solutions
best response confirmed by Manoj Karunarathne (Iron Contributor)
Solution

Unfortunately this seems to be an all to common issue, from what I've read and experienced so far on this scenario. Microsoft hasn't exposed all of the apps (although you have that useful option to target ALL APPS) and they seem to indicate in documentation that targeting all applications should be used sparingly as it can and does have unintended consequences (from what I learned from my colleagues and limited web info).

If anyone have worked around this or have different thoughts please reply with your inputs. Greatly appreciated!

View solution in original post