Conditional Access Help

Copper Contributor

Hi -

 

Thought this would be easy but it's not.  We have a group of 5 temporary employees that need to access one custom built app in our environment.  That app utilizes M365 authentication.  I setup these users in a security group and want to block all access with the exclusion to this one app.  The problem is, if I block Office 365, it does not allow them to login to the custom app.  They get an error that blocks them, even though the app itself is excluded.  I then exclude the app and Office 365 and it allows the login.  This is frustrating because we cannot allow any access to Outlook, Sharepoint, OneDrive, etc.  Any advice?  When I try to search for just Exchange or Sharepoint by itself, there are no options to select under Cloud Apps. 

4 Replies

@Kidd_Ip   Thanks, but unfortunately it doesn't appear that CA can do it.

 

I was able to get around some of this by creating a security group and granting a very limited F3 license. The only thing I haven't been able to block is Sharepoint.  The user can still navigate to our company page and see a company based document library.  I could do major changes to block it, but it shouldn't be that way and I would be nervous that I would block access to those that need it.  I am hoping there is something easy.  I may just have to go to Powershell and block each user individually to each particular site which is not ideal either. 

To restate the problem:

 

I have a custom built enterprise application and a CA that blocks Office 365.  I am unable to login with these accounts to the enterprise application.  Is there a particular app that I can exclude that allows this authentication to work but doesn't grant access to Office apps? 

Hello!
Hmm this is strange, since the Office365 cloud app includes Sharepoint, OneDrive, Exchange Teams and much more but not Entra ID, so you adding Office365 to the blocked apps list should not block sign in via EntraID to the users.
I have an Conditional access policy myself where I block all apps except a custom application and that works.

How does the authentication look to your custom app? Is it SSO or how do users sign in?

Could you share screenshots of your CA policy with sensitive information blurred out?

Cheers!
Oliwer Sundgren