Exclusion of Teams from Conditional Access Policy does not work?

%3CLINGO-SUB%20id%3D%22lingo-sub-2275168%22%20slang%3D%22en-US%22%3EExclusion%20of%20Teams%20from%20Conditional%20Access%20Policy%20does%20not%20work%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275168%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20to%20implement%20a%20CA%20policy%20which%20enforces%20MFA%20when%20users%20are%20signing%20in%20outside%20our%20trusted%20networks%2C%20except%20for%20MS%20Teams%2C%20which%20users%20should%20be%20able%20to%20Sign%20in%20to%20regardless%20of%20location.%3C%2FP%3E%3CP%3EWe%20also%20need%20for%20ActiveSync%20to%20work.%3C%2FP%3E%3CP%3EWe%20have%20configured%20a%20Policy%20accordingly.%3C%2FP%3E%3CP%3EIn%20%22Users%20and%20Groups%22%20we%20have%20some%20users%20included%20(by%20Group)%20and%20others%20excluded%20(by%20Group)%3C%2FP%3E%3CP%3EIn%20%22Clouds%20app%20and%20actions%22%20we%20have%20Include%20%22All%20cloud%20apps%22%20and%20Exclude%20%22Microsoft%20Teams%22%3C%2FP%3E%3CP%3EIn%20Conditions%2C%20under%20Locations%2C%20we%20have%20%22%3CSPAN%3EAny%20location%20and%20all%20trusted%20locations%20excluded%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20Conditions%2C%20under%20Client%20apps%2C%20we%20have%20Configured%20(%22Yes%22)%20and%20the%202%20checkboxes%20for%20%22Modern%20authentication%20clients%22%20are%20checked%20(including%20ActiveSync)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20tested%20the%20Policy%20from%20an%20Untrusted%20location%20in%20Report-only%20mode.%20When%20logging%20in%20to%20Teams%2C%20the%20Policy%20is%20matched%2C%20despite%20the%20explicit%20exclusion%20of%20Teams.%20Reviewing%20the%20Sign%20In%2C%20specifically%20under%20Policy%20details%20%26gt%3B%20Assignments%20%26gt%3B%20Application%20%26gt%3B%20Microsoft%20Teams%3A%20we%20see%20%22Matched%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20order%20to%20troubleshoot%20we%20have%20simplified%20the%20policy%20by%20turning%20Off%20the%20Client%20apps%20configuration%20Condition.%20The%20outcome%20is%20the%20same.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAdditionally%2C%20we%20have%20tried%20adding%20%22Office%20365%20Exchange%20Online%22%20and%20%22Office%20365%20SharePoint%20Online%22%20as%20exclusions%20(together%20with%20Teams).%20We%20though%20this%20might%20work%20because%20there%20is%20plenty%20of%20anecdotal%20evidence%20suggesting%20interdependencies%20between%20these%203%20Apps.%20However%2C%20this%20also%20has%20not%20altered%20the%20outcome.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20any%20reason%20that%20excluding%20Teams%20in%20a%20Conditional%20Access%20policy%20does%20not%20work%20as%20it%20(ostensibly)%20ought%20to%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2275168%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

We want to implement a CA policy which enforces MFA when users are signing in outside our trusted networks, except for MS Teams, which users should be able to Sign in to regardless of location.

We also need for ActiveSync to work.

We have configured a Policy accordingly.

In "Users and Groups" we have some users included (by Group) and others excluded (by Group)

In "Clouds app and actions" we have Include "All cloud apps" and Exclude "Microsoft Teams"

In Conditions, under Locations, we have "Any location and all trusted locations excluded"

In Conditions, under Client apps, we have Configured ("Yes") and the 2 checkboxes for "Modern authentication clients" are checked (including ActiveSync)

 

We have tested the Policy from an Untrusted location in Report-only mode. When logging in to Teams, the Policy is matched, despite the explicit exclusion of Teams. Reviewing the Sign In, specifically under Policy details > Assignments > Application > Microsoft Teams: we see "Matched".

 

In order to troubleshoot we have simplified the policy by turning Off the Client apps configuration Condition. The outcome is the same. 

 

Additionally, we have tried adding "Office 365 Exchange Online" and "Office 365 SharePoint Online" as exclusions (together with Teams). We though this might work because there is plenty of anecdotal evidence suggesting interdependencies between these 3 Apps. However, this also has not altered the outcome.

 

Is there any reason that excluding Teams in a Conditional Access policy does not work as it (ostensibly) ought to? 

 

 

 

 

1 Reply
Yeah the interdependencies of Teams with Exchange and SP are likely at play here. The only way this could maybe work is by setting the exclusion to be the Office 365 app, but then this is also going to negate aspects of what you are trying to achieve. Lot's of other threads on this subject but no definitive solution.