Forum Discussion
Conditional Access Policy: Only allow access to a limited set of applications
We have a group of users for which we like to limit the applications they can sign in to, using conditional access.
That should be easy with Conditional Access we thought, just block access and exclude the five applications they need. But we ran into an issue with MFA...
The users are unable to set/change their MFA settings because myaccounts.microsoft.com is also blocked and cannot be added as an excluded application.
It is not available in the GUI, and we're unable to add it using the PS/Graph.
Any suggestions on how to solve this? Thanks!
bart_vermeersch I've got replies and it doesn't seem possible, not now at least. When using the 'manual approach' with the apps I could access myaccount.microsoft.com and change the password, but not enter security info, always blocked at "My access" app.
4 Replies
Good question, had to try it out to see the behavior. Let me know if you find something, I will ask around as well.
bart_vermeersch I reckon the 'workaround' in the somewhat associated conversation might fix this too. Still I have asked a couple of identity/security experts about this. *update* I can now access myaccount.microsoft.com just not the 'security info' submenu. The app name now being 'My Access' in the block details (previously 'My profile' app blocked).
bart_vermeersch I've got replies and it doesn't seem possible, not now at least. When using the 'manual approach' with the apps I could access myaccount.microsoft.com and change the password, but not enter security info, always blocked at "My access" app.
ChristianJBergstrom that's a bummer but thank you for asking around!
