'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug

Copper Contributor

Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples...

 

----Example 1----

Environment:

CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts)

CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc)

CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc)

SSPR registration enforcement (Password reset > Registration) - set to 'Yes'

MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled'

 

Scenario:

A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx:

securelogic_0-1701219005826.png

 

Then they see this screen, which will block the login and try to get the user to download the Company Portal app:

securelogic_1-1701219196379.png

 

While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3:

securelogic_5-1701222712879.png

securelogic_6-1701222737651.png

securelogic_7-1701222785931.png

securelogic_8-1701223071548.png

securelogic_0-1701238723661.png

 

CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs.

 

 

----Example 2----

Environment:

Same as above, but SSPR registration enforcement - set to 'No'

 

Scenario:

Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx:

securelogic_2-1701219425420.png

 

Then they are directed to the combined SSPR/MFA registration experience successfully:

securelogic_3-1701219538371.png

 

The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. 

 

 

----Workarounds----

1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc)

2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update)

3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR)

 

----Related links----

Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com)

Support conditional access for MyApps.microsoft.com · Community (azure.com)

Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microso...

 

MS, please either:

1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded

2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabled

1 Reply

@secure-logic 

Thank you for the excellent write-up on this issue. We've been dealing with it for years and we weren't able to find any permanent fix other than switching to targeted apps in the Conditional Access policy. This causes many issues with the login flow for remote desktop users from personal devices with conditional access turned on.