SOLVED

How to exclude O365 desktop apps from MFA when using Conditional Access?

Copper Contributor

Hi all.

 

I'm have a little trouble excluding the O365 desktop apps from my Conditional Access policy.

 

I have set up a policy to force MFA when accessing MS admin sites such as Azure, Exchange etc, I want this in place to protect them of course. But since I created the policy (with only myself as a test user) I am now getting the likes of Excel failing to log in, and requiring MFA to complete a log in. The policy is "Include all cloud apps".

 

My Conditional Access policy has exclusions for "Office 365" and "Microsoft Cloud App Security" (the last was a stab in the dark). I figured that would allow the apps to bypass this policy, but I'm still having to pass MFA to allow Excel to sign in.

 

I'm not worried if MFA remains on OWA or any other web based access as they aren't used much and I'm happy for them to be MFA'd anyway.

 

Can anyone tell me if there is a way to exclude the desktop apps from MFA but still retain cloud protection?

 

Thanks,

 

Rich.

2 Replies
best response confirmed by rich360ctrl (Copper Contributor)
Solution
The "cloud apps" condition applies to the SaaS products, not the individual apps. To target the desktop apps, you should be using the "client apps" condition instead. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acce...
Hi Vasil

My Apologies for the delayed reply.

That seems to have done the trick for me. Many thanks!
1 best response

Accepted Solutions
best response confirmed by rich360ctrl (Copper Contributor)
Solution
The "cloud apps" condition applies to the SaaS products, not the individual apps. To target the desktop apps, you should be using the "client apps" condition instead. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acce...

View solution in original post