Exclude Microsoft first party applications in Azure conditional access policy

Brass Contributor

We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error.


Policy contains invalid applications: unsupported firstpartyapplication.


Is there a way to exclude Microsoft Graph from the policy?

3 Replies
Same issue here for "Office 365" and "Sign Up" as applications to exclude needed. At the moment, it seems to only be allowed excluding "MgApplicationTemplate" and "MgApplication" applications.

Definitely need more flexibility for CA policies.



It needs included_applications

The policy cannot be built, in my case, as "included" applications, because there are to many ways to attack M365 with application not possible to be included, e.g. Device Registration Service (cannot be included because no app with id).