Sep 23 2021
09:21 AM
- last edited on
Jan 14 2022
03:43 PM
by
TechCommunityAP
Sep 23 2021
09:21 AM
- last edited on
Jan 14 2022
03:43 PM
by
TechCommunityAP
Hello Identity Experts,
We are expanding access to our M365 resources to Guests and as such we are modifying our existing CA policies to provide the appropriate restrictions and controls. We are using principles of least privilege best practices to BLOCK All Cloud Apps for Guests (With Exceptions) and REQUIRE MFA for Guests. We've followed a number of blogs detailing the same essential set of policies / well-known identity pros:
The idea is to allow guests to access Office 365 and My Apps (and AIP) but block all others plus require MFA for guests. Seems pretty straightforward and again we've seen this implemented and suggested by a number of experts. This doesn't work however and we've had a colleague test this in a separate tenant with just these two policies enabled.
What is happening is that Guests, while redeeming their invitation, are triggering the BLOCK All Cloud Apps for Guests policy when they access the "Microsoft Invitation Acceptance Portal". This App is, unfortunately, one that cannot be excluded from CA policy (there is no target available for it). Guests receive the "You don't have access to this" error with the AppName = Microsoft Invitation Acceptance Portal and error 53003 in the AAD sign-in logs (along with the fact that the BLOCK policy caused the failure). What is also odd is that if the Guest returns to the invitation link, they can then complete the registration. Something is off/wrong and we're curious if anyone else has encountered this using these policies.
Thanks in advance!
Sep 28 2021 05:38 AM
SolutionSep 30 2021 08:15 AM
AFAIK BilalelHadd is right, Conditionnal Access does not support these apps...
I encountered the same issue for several of my clients.
A workaround we used was simply to ... not use MyApps for the guests (as they were using only Office 365 services).
As we were using custom tool to manage the guests: we change the "inviteRedirectUrl" to avoid the redirection to MyApps.
But that's not the ideal behavior
More info here:
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/invite-internal-users
Nov 17 2022 01:43 PM - edited Nov 18 2022 03:26 AM
Ran into this post researching a way to block access to everything except Teams and SPO, running into the same problem. Is the Microsoft App Access Panel still not available to exclude specifically? Picking apps we *think* might need to be blocked isn't really secure or scalable.
Nov 21 2022 11:49 PM
Jan 03 2023 03:49 AM
Sep 28 2021 05:38 AM
Solution