cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclusion of Teams from Conditional Access Policy does not work?

RobertEllis
Copper Contributor

‎Apr 15 2021 01:31 PM

‎Apr 15 2021 01:31 PM

Exclusion of Teams from Conditional Access Policy does not work?

We want to implement a CA policy which enforces MFA when users are signing in outside our trusted networks, except for MS Teams, which users should be able to Sign in to regardless of location.

We also need for ActiveSync to work.

We have configured a Policy accordingly.

In "Users and Groups" we have some users included (by Group) and others excluded (by Group)

In "Clouds app and actions" we have Include "All cloud apps" and Exclude "Microsoft Teams"

In Conditions, under Locations, we have "Any location and all trusted locations excluded"

In Conditions, under Client apps, we have Configured ("Yes") and the 2 checkboxes for "Modern authentication clients" are checked (including ActiveSync)

 

We have tested the Policy from an Untrusted location in Report-only mode. When logging in to Teams, the Policy is matched, despite the explicit exclusion of Teams. Reviewing the Sign In, specifically under Policy details > Assignments > Application > Microsoft Teams: we see "Matched".

 

In order to troubleshoot we have simplified the policy by turning Off the Client apps configuration Condition. The outcome is the same. 

 

Additionally, we have tried adding "Office 365 Exchange Online" and "Office 365 SharePoint Online" as exclusions (together with Teams). We though this might work because there is plenty of anecdotal evidence suggesting interdependencies between these 3 Apps. However, this also has not altered the outcome.

 

Is there any reason that excluding Teams in a Conditional Access policy does not work as it (ostensibly) ought to? 

 

 

 

 

Labels:
5,898 Views
0 Likes
4 Replies
Reply
4 Replies
PeterRising

‎Apr 16 2021 02:34 PM

‎Apr 16 2021 02:34 PM

Re: Exclusion of Teams from Conditional Access Policy does not work?

Yeah the interdependencies of Teams with Exchange and SP are likely at play here. The only way this could maybe work is by setting the exclusion to be the Office 365 app, but then this is also going to negate aspects of what you are trying to achieve. Lot's of other threads on this subject but no definitive solution.
0 Likes
Reply
Kim Nussbaumer

‎Jan 11 2023 04:34 AM

‎Jan 11 2023 04:34 AM

Re: Exclusion of Teams from Conditional Access Policy does not work?

@RobertEllis 

Had the same Issue today, MS Support would neither acknowledge or deny the issue, only solution is to Exclude "Office 365" Cloud App.

For everyone that sees this, please vote for the Feedback here that this gets more awareness from MS:
Fix Conditional Access Bug, wich prevents Teams to be excluded · Community (azure.com)

0 Likes
Reply
AlexMM-QC

‎Apr 27 2023 12:18 PM

‎Apr 27 2023 12:18 PM

Re: Exclusion of Teams from Conditional Access Policy does not work?

Same issue here.
We want t block access to all cloud apps except Teams.
Not working still.
0 Likes
Reply
Vladimir_Kalinichenko

‎Jun 02 2023 12:39 AM

‎Jun 02 2023 12:39 AM

Re: Exclusion of Teams from Conditional Access Policy does not work?

Many thanks to IT Support account for the trick with adding Skype for Business into exclusion list. It helped for us! Now users can open Teams via teams.microsoft. com on unmanaged devices...
Of course, we had to add Exchange Online into exclusions too to make Teams working.. BUT! In the parralel we turn on access control policy for Unmanaged devices to "Block Access" mode directly in Sharepoint admin center and these 2 policies works fine together. Teams web is working but there is no access to Sharepoint/Onedrive and no files in Teams file tabs...

It was our goal to allow Teams and Outlook but without any Onedrive/Sharepoint access..
0 Likes
Reply