Forum Discussion
Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"
Hello Identity Experts,
We are expanding access to our M365 resources to Guests and as such we are modifying our existing CA policies to provide the appropriate restrictions and controls. We are using principles of least privilege best practices to BLOCK All Cloud Apps for Guests (With Exceptions) and REQUIRE MFA for Guests. We've followed a number of blogs detailing the same essential set of policies / well-known identity pros:
The idea is to allow guests to access Office 365 and My Apps (and AIP) but block all others plus require MFA for guests. Seems pretty straightforward and again we've seen this implemented and suggested by a number of experts. This doesn't work however and we've had a colleague test this in a separate tenant with just these two policies enabled.
What is happening is that Guests, while redeeming their invitation, are triggering the BLOCK All Cloud Apps for Guests policy when they access the "Microsoft Invitation Acceptance Portal". This App is, unfortunately, one that cannot be excluded from CA policy (there is no target available for it). Guests receive the "You don't have access to this" error with the AppName = Microsoft Invitation Acceptance Portal and error 53003 in the AAD sign-in logs (along with the fact that the BLOCK policy caused the failure). What is also odd is that if the Guest returns to the invitation link, they can then complete the registration. Something is off/wrong and we're curious if anyone else has encountered this using these policies.
Thanks in advance!
- I am afraid this won't work, simply because the Microsoft App Access Panel and MyApps portals aren't available as a Cloud App within Conditional Access. There is a user voice vote available for this to be implemented: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-access-support-to-microsoft-app-ac
For now, I would suggest you create a policy and block applications (e.g. Azure Portal) one by one instead of blocking all applications. Also, you can configure Conditional Access App Control If you're afraid guest and external accounts will abuse (print, etc.) protected data.
- I am afraid this won't work, simply because the Microsoft App Access Panel and MyApps portals aren't available as a Cloud App within Conditional Access. There is a user voice vote available for this to be implemented: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/33689335-add-conditional-access-support-to-microsoft-app-ac
For now, I would suggest you create a policy and block applications (e.g. Azure Portal) one by one instead of blocking all applications. Also, you can configure Conditional Access App Control If you're afraid guest and external accounts will abuse (print, etc.) protected data. AFAIK BilalelHadd is right, Conditionnal Access does not support these apps...
I encountered the same issue for several of my clients.
A workaround we used was simply to ... not use MyApps for the guests (as they were using only Office 365 services).
As we were using custom tool to manage the guests: we change the "inviteRedirectUrl" to avoid the redirection to MyApps.
But that's not the ideal behavior
More info here:
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/invite-internal-users
Ran into this post researching a way to block access to everything except Teams and SPO, running into the same problem. Is the Microsoft App Access Panel still not available to exclude specifically? Picking apps we *think* might need to be blocked isn't really secure or scalable.
- Unfortunately, not yet; Microsoft has given the feature request the label "planned." I have no idea when they will release this.
https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789
- As this struggle bus of CA inclusions / exclusions continues to wobble down the road on 2.5 wheels, I can report that the My Apps, My Profile and Microsoft Invitation Acceptance Portals are now available to Conditional Access! Still no sign of the Microsoft App Access Panel and other blockers, but I guess this is some light at the end of the tunnel...
We need more people voting for this! -----> https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789
