cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"

VTPatsFan2425
Copper Contributor

‎Sep 23 2021 09:21 AM - last edited on ‎Jan 14 2022 03:43 PM by

‎Sep 23 2021 09:21 AM - last edited on ‎Jan 14 2022 03:43 PM by

Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"

Hello Identity Experts,

 

We are expanding access to our M365 resources to Guests and as such we are modifying our existing CA policies to provide the appropriate restrictions and controls.  We are using principles of least privilege best practices to BLOCK All Cloud Apps for Guests (With Exceptions) and REQUIRE MFA for Guests.  We've followed a number of blogs detailing the same essential set of policies / well-known identity pros:

 

https://danielchronlund.com/2020/11/26/azure-ad-conditional-access-policy-design-baseline-with-autom...

 

The idea is to allow guests to access Office 365 and My Apps (and AIP) but block all others plus require MFA for guests.  Seems pretty straightforward and again we've seen this implemented and suggested by a number of experts.  This doesn't work however and we've had a colleague test this in a separate tenant with just these two policies enabled.

 

What is happening is that Guests, while redeeming their invitation, are triggering the BLOCK All Cloud Apps for Guests policy when they access the "Microsoft Invitation Acceptance Portal".  This App is, unfortunately, one that cannot be excluded from CA policy (there is no target available for it).  Guests receive the "You don't have access to this" error with the AppName = Microsoft Invitation Acceptance Portal and error 53003 in the AAD sign-in logs (along with the fact that the BLOCK policy caused the failure).  What is also odd is that if the Guest returns to the invitation link, they can then complete the registration.  Something is off/wrong and we're curious if anyone else has encountered this using these policies.  

 

Thanks in advance!

13K Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by VTPatsFan2425 (Copper Contributor)
BilalelHadd

‎Sep 28 2021 05:38 AM

‎Sep 28 2021 05:38 AM

Solution

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

I am afraid this won't work, simply because the Microsoft App Access Panel and MyApps portals aren't available as a Cloud App within Conditional Access. There is a user voice vote available for this to be implemented: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-acces...

For now, I would suggest you create a policy and block applications (e.g. Azure Portal) one by one instead of blocking all applications. Also, you can configure Conditional Access App Control If you're afraid guest and external accounts will abuse (print, etc.) protected data.
0 Likes
Reply
thijoubertold

‎Sep 30 2021 08:15 AM

‎Sep 30 2021 08:15 AM

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

Hi @VTPatsFan2425

 

AFAIK BilalelHadd is right, Conditionnal Access does not support these apps... 

I encountered the same issue for several of my clients. 

 

A workaround we used was simply to ... not use MyApps for the guests (as they were using only Office 365 services).

As we were using custom tool to manage the guests: we change the "inviteRedirectUrl" to avoid the redirection to MyApps. 

But that's not the ideal behavior

 

More info here: 

- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience 

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/invite-internal-users

 

0 Likes
Reply
DaveTheTeamsGuy

‎Nov 17 2022 01:43 PM - edited ‎Nov 18 2022 03:26 AM

‎Nov 17 2022 01:43 PM - edited ‎Nov 18 2022 03:26 AM

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

Ran into this post researching a way to block access to everything except Teams and SPO, running into the same problem. Is the Microsoft App Access Panel still not available to exclude specifically? Picking apps we *think* might need to be blocked isn't really secure or scalable.

0 Likes
Reply
BilalelHadd

‎Nov 21 2022 11:49 PM

‎Nov 21 2022 11:49 PM

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

Unfortunately, not yet; Microsoft has given the feature request the label "planned." I have no idea when they will release this.

https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789
0 Likes
Reply
Rafał_Fitt

‎Jan 03 2023 03:49 AM

‎Jan 03 2023 03:49 AM

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

@VTPatsFan2425 something is changing?

 

 

Preview file
165 KB
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VTPatsFan2425 (Copper Contributor)
BilalelHadd

‎Sep 28 2021 05:38 AM

‎Sep 28 2021 05:38 AM

Solution

Re: Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal&q

I am afraid this won't work, simply because the Microsoft App Access Panel and MyApps portals aren't available as a Cloud App within Conditional Access. There is a user voice vote available for this to be implemented: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-acces...

For now, I would suggest you create a policy and block applications (e.g. Azure Portal) one by one instead of blocking all applications. Also, you can configure Conditional Access App Control If you're afraid guest and external accounts will abuse (print, etc.) protected data.

View solution in original post

0 Likes
Reply