Oct 18 2022 01:59 PM
I have a conditional access policy scoped against "All Cloud Apps" - excluding "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423). This policy requires approved client app and app protection policy in effect among other things and only impacts iOS and Android.
I have an iOS device fully enrolled and compliant which is attempting to log in using the native apple account and the azure sign-on logs clearly indicate that this conditional access policy is blocking the sign on because the application has matched the scope despite exclusion. Is this a bug? It feels as though the check against exclusion either isn't happening or is happening at lower priority than the check for application list inclusion, thus preventing exclusion from being possible.
Oct 18 2022 07:36 PM - edited Oct 18 2022 07:37 PM
Hi @AndyK
IOS native mail App is not part of either the approved client apps or the Require App Protection list, so you can’t excluded it from CA.
It’s added in your tenant as an Enterprise App because your users has used it to access their email before, like any other enterprise app (Acrobat for example).
In another word, this CA grants access to the approved apps/ Require App Protection in the list below-
Hope this helps!
Moe
Oct 19 2022 07:45 AM
Oct 19 2022 08:31 AM