SOLVED

Security Info blocked by conditional access

Copper Contributor

Hello,

We have a conditional access policy in place where a specific group can only access Microsoft 365 (deny all apps, except Office 365). The moment a user clicks on Security Info in My Account, the user is blocked by this policy. I cant find a way to exclude the app "My Signins" (AppId 19db86c3-b2b9-44cc-b339-36da233a3be2).

Since MFA is forced for this group, they can't change their authenticator app registration. Is there a solution for this?

Initial MFA setup works by the way.

12 Replies

@stuffie I am getting this exact same issue as of a few days ago.  Worked fine for a year before this, guessing MS have broken something.

Hey, did you ever find a way around this? Experiencing the same issue on our side too
Nope, problem still exists. Users cannot access Security Info.

Error:
"You don't have access to this
Your sign-in was successful but you don't have permission to access this resource."

@stuffie we encounter the exact same issue and we cannot exclude the app from the policy. Have you found a solution?

Nope, problem still exists.
If this is a conditional access policy that stops this, you can very well see this reflected in the sign-in logs. Can you look at this and share the information with us?
best response confirmed by stuffie (Copper Contributor)
Solution

Hello @JosvanderVaart,

we have a ca-policy in place in which all cloud apps are in scope. If the user accesses from a non-compliant device the policy blocks the access.

A few cloud apps must be able to be accessed from non-compliant devices and they get excluded from the policy. Those cloud apps also require MFA to access them.

Until this point all good. The problem is that a user accessing from an unmanaged device (he does not have a managed device) he cannot access the security-information page to activate MFA because the policy gets triggered and he gets blocked. 

In the logs the policy gets triggered for a "ghost"-app called "My Sign-in". This app cannot be found and cannot be excluded from the policy.

 

We have an open case with MS-Support on that and they confirmed this is a known issue and that currently there is no solution. On top many organizations seem to struggle with that, there is an open design request but no confirmed plans for a change.

 

Really annoying and has cost us lots of time troubleshooting it already.

@stuffie If you look at the Conditonal Access tab, you can see exactly which CA policy is causing this behavior, can you take a screenshot of this?

User is blocked by conditional access policy "All Apps - Block for [some group], except MS365".

I'm not sure what you want to accomplish with your question, because I explained this in my original post.
We are facing the same issue, "My Signins" (AppId 19db86c3-b2b9-44cc-b339-36da233a3be2) not addressable in Conditional Access. Extremly annoying, as this is blocking some internal IAM processes. MS please do something about it and make the Cloud App visible and addressable!
+1 Exactly the same issue ! Please MS, do something !
1 best response

Accepted Solutions
best response confirmed by stuffie (Copper Contributor)
Solution

Hello @JosvanderVaart,

we have a ca-policy in place in which all cloud apps are in scope. If the user accesses from a non-compliant device the policy blocks the access.

A few cloud apps must be able to be accessed from non-compliant devices and they get excluded from the policy. Those cloud apps also require MFA to access them.

Until this point all good. The problem is that a user accessing from an unmanaged device (he does not have a managed device) he cannot access the security-information page to activate MFA because the policy gets triggered and he gets blocked. 

In the logs the policy gets triggered for a "ghost"-app called "My Sign-in". This app cannot be found and cannot be excluded from the policy.

 

We have an open case with MS-Support on that and they confirmed this is a known issue and that currently there is no solution. On top many organizations seem to struggle with that, there is an open design request but no confirmed plans for a change.

 

Really annoying and has cost us lots of time troubleshooting it already.

View solution in original post