Exclusion of Teams from Conditional Access Policy does not work?

Copper Contributor

We want to implement a CA policy which enforces MFA when users are signing in outside our trusted networks, except for MS Teams, which users should be able to Sign in to regardless of location.

We also need for ActiveSync to work.

We have configured a Policy accordingly.

In "Users and Groups" we have some users included (by Group) and others excluded (by Group)

In "Clouds app and actions" we have Include "All cloud apps" and Exclude "Microsoft Teams"

In Conditions, under Locations, we have "Any location and all trusted locations excluded"

In Conditions, under Client apps, we have Configured ("Yes") and the 2 checkboxes for "Modern authentication clients" are checked (including ActiveSync)

 

We have tested the Policy from an Untrusted location in Report-only mode. When logging in to Teams, the Policy is matched, despite the explicit exclusion of Teams. Reviewing the Sign In, specifically under Policy details > Assignments > Application > Microsoft Teams: we see "Matched".

 

In order to troubleshoot we have simplified the policy by turning Off the Client apps configuration Condition. The outcome is the same. 

 

Additionally, we have tried adding "Office 365 Exchange Online" and "Office 365 SharePoint Online" as exclusions (together with Teams). We though this might work because there is plenty of anecdotal evidence suggesting interdependencies between these 3 Apps. However, this also has not altered the outcome.

 

Is there any reason that excluding Teams in a Conditional Access policy does not work as it (ostensibly) ought to? 

 

 

 

 

5 Replies
Yeah the interdependencies of Teams with Exchange and SP are likely at play here. The only way this could maybe work is by setting the exclusion to be the Office 365 app, but then this is also going to negate aspects of what you are trying to achieve. Lot's of other threads on this subject but no definitive solution.

@RobertEllis 

Had the same Issue today, MS Support would neither acknowledge or deny the issue, only solution is to Exclude "Office 365" Cloud App.

For everyone that sees this, please vote for the Feedback here that this gets more awareness from MS:
Fix Conditional Access Bug, wich prevents Teams to be excluded · Community (azure.com)

Same issue here.
We want t block access to all cloud apps except Teams.
Not working still.
Many thanks to IT Support account for the trick with adding Skype for Business into exclusion list. It helped for us! Now users can open Teams via teams.microsoft. com on unmanaged devices...
Of course, we had to add Exchange Online into exclusions too to make Teams working.. BUT! In the parralel we turn on access control policy for Unmanaged devices to "Block Access" mode directly in Sharepoint admin center and these 2 policies works fine together. Teams web is working but there is no access to Sharepoint/Onedrive and no files in Teams file tabs...

It was our goal to allow Teams and Outlook but without any Onedrive/Sharepoint access..

@Vladimir_Kalinichenko Can you please share with us exactly what you did to achieve this?  It's no longer working for us.