Forum Discussion
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples...
----Example 1----
Environment:
CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts)
CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc)
CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc)
SSPR registration enforcement (Password reset > Registration) - set to 'Yes'
MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled'
Scenario:
A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx:
Then they see this screen, which will block the login and try to get the user to download the Company Portal app:
While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3:
CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs.
----Example 2----
Environment:
Same as above, but SSPR registration enforcement - set to 'No'
Scenario:
Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx:
Then they are directed to the combined SSPR/MFA registration experience successfully:
The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience.
----Workarounds----
1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc)
2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update)
3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR)
----Related links----
Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com)
Support conditional access for MyApps.microsoft.com · Community (azure.com)
MS, please either:
1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded
2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabled
- Another year and Microsoft still has not fixed this issue...
Thank you for the excellent write-up on this issue. We've been dealing with it for years and we weren't able to find any permanent fix other than switching to targeted apps in the Conditional Access policy. This causes many issues with the login flow for remote desktop users from personal devices with conditional access turned on.
- +1, we have this same issue with other workflows, i.e. when guests need to register for MFA. Need to be able to granularly exclude apps.
- This is still an issue and has yet to be acknowledged by Microsoft. I strongly recommend anyone who is having the same problem to open a support case with Microsoft, reference these feedback and blog posts, escalate the case with your CSM, and submit a Design Change Request for the fix. The PG unfortunately is ignoring the feedback and blog posts, and this is the alternate path to get the issue in front of them.
It is imperative that a solution be found that either:
a.) Allows the exclusion of the ‘Microsoft App Access Panel’ application from Conditional Access policies, or
b.) Ensures the ‘Microsoft App Access Panel’ application does not appear in the Conditional Access login flow.
A few other URL's referencing the same issue:
https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd
https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789
https://feedback.azure.com/d365community/idea/b93ac618-4c0c-ef11-989a-000d3a0373f3
https://techcommunity.microsoft.com/t5/microsoft-entra/microsoft-app-access-panel-and-conditional-access-with-sspr/m-p/3995242
https://techcommunity.microsoft.com/t5/azure/microsoft-app-access-panel-requires-mfa-but-we-didn-t-enable-it/m-p/2974311
https://learn.microsoft.com/en-us/answers/questions/871216/how-to-exclude-microsoft-app-access-panel-from-the
https://techcommunity.microsoft.com/t5/microsoft-entra/conditional-access-policies-guest-access-and-the-quot-microsoft/m-p/2779133
*UPDATE July 2024* - Microsoft Support has a workaround for this issue. We followed the steps provided and now have Microsoft App Access Panel available to us as an app in Conditional Access. They asked me to not post the workaround publicly and instead advise customers to contact Microsoft support for the workaround.CommsGuys1855 Can the workaround they provided apply to any service / app that gets blocked by CA?
