cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional Access Application Protection Exemption

AndyK
Copper Contributor

‎Oct 18 2022 01:59 PM

‎Oct 18 2022 01:59 PM

Conditional Access Application Protection Exemption

I have a conditional access policy scoped against "All Cloud Apps" - excluding "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423). This policy requires approved client app and app protection policy in effect among other things and only impacts iOS and Android.

 

I have an iOS device fully enrolled and compliant which is attempting to log in using the native apple account and the azure sign-on logs clearly indicate that this conditional access policy is blocking the sign on because the application has matched the scope despite exclusion. Is this a bug? It feels as though the check against exclusion either isn't happening or is happening at lower priority than the check for application list inclusion, thus preventing exclusion from being possible.

4,191 Views
0 Likes
3 Replies
Reply
3 Replies
Moe_Kinani

‎Oct 18 2022 07:36 PM - edited ‎Oct 18 2022 07:37 PM

‎Oct 18 2022 07:36 PM - edited ‎Oct 18 2022 07:37 PM

Re: Conditional Access Application Protection Exemption

Hi @AndyK 

 

IOS native mail App is not part of either the approved client apps or the Require App Protection list, so you can’t excluded it from CA.
It’s added in your tenant as an Enterprise App because your users has used it to access their email before, like any other enterprise app (Acrobat for example).
In another word, this CA grants access to the approved apps/ Require App Protection in the list below-

Hope this helps!
Moe

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acce...

0 Likes
Reply
AndyK

‎Oct 19 2022 07:45 AM

‎Oct 19 2022 07:45 AM

Re: Conditional Access Application Protection Exemption

So is it not possible to force an approved MS application, and/or the iOS Mail, via the conditional access policies? I had built a configuration policy which effectively forced ONLY the contacts/calendar exchange sync using that and it works already... I was hoping that I could allow looser control over these sources while ensuring mail was still locked into Outlook.
0 Likes
Reply
Moe_Kinani

‎Oct 19 2022 08:31 AM

‎Oct 19 2022 08:31 AM

Re: Conditional Access Application Protection Exemption

You can’t exclude IOS mail app from Conditional Access because it is not part the Approved apps or Require App Protection lists. It’s not a bug, IOS native mail needs to be an approved app to be allowed.
So if you want use an approved apps CA, you need to push the users to use Outlook app.

Hope this answers your question!
Moe
0 Likes
Reply