Jonas Hilpert
@sololugan0.bsky.social
Microsoft 365 Security & Compliance enthusiast working at Swisscom Schweiz AG.
You can find more Info here: www.msb365.blog?p=5780
have a look at case 1. case 2 has been documented by MS int the meantime as you discovered.
for the exclusions of policies, there are similar problems as in case 1. so if you want exclude a single (3rd pt) app from MFA you can't in some cases.
have a look at case 1. case 2 has been documented by MS int the meantime as you discovered.
for the exclusions of policies, there are similar problems as in case 1. so if you want exclude a single (3rd pt) app from MFA you can't in some cases.
Unveiling an unexpected behavior in ConditionalAccess: Unable to enforce controls for some Apps - MSB365
Recently, an unexpected problem popped up with some ConditionalAccess policies: it is not possible to enforce controls. Applications show up as ‘excluded’ from the targeted resources when ConditionalA...
www.msb365.blog
February 23, 2025 at 8:46 PM
You can find more Info here: www.msb365.blog?p=5780
have a look at case 1. case 2 has been documented by MS int the meantime as you discovered.
for the exclusions of policies, there are similar problems as in case 1. so if you want exclude a single (3rd pt) app from MFA you can't in some cases.
have a look at case 1. case 2 has been documented by MS int the meantime as you discovered.
for the exclusions of policies, there are similar problems as in case 1. so if you want exclude a single (3rd pt) app from MFA you can't in some cases.
There are other behaviours since CA has changed to protect resources instead of Apps.
for example it's not possible anymore to exlude or include a specific app in some circumstances.
CA unfortunatly is getting useless for 3rd party apps without resources within M365..
for example it's not possible anymore to exlude or include a specific app in some circumstances.
CA unfortunatly is getting useless for 3rd party apps without resources within M365..
February 22, 2025 at 6:43 AM
There are other behaviours since CA has changed to protect resources instead of Apps.
for example it's not possible anymore to exlude or include a specific app in some circumstances.
CA unfortunatly is getting useless for 3rd party apps without resources within M365..
for example it's not possible anymore to exlude or include a specific app in some circumstances.
CA unfortunatly is getting useless for 3rd party apps without resources within M365..
So this probably "resolves" issue 2 described here:
www.msb365.blog?p=5780
When MS decided to change from targeting resources instead of apps, several problems have been created for us & our customers. Hopefully MS will resolve this issues also on a technical level, not only adjusting the docs..
www.msb365.blog?p=5780
When MS decided to change from targeting resources instead of apps, several problems have been created for us & our customers. Hopefully MS will resolve this issues also on a technical level, not only adjusting the docs..
www.msb365.blog
February 5, 2025 at 11:54 AM
So this probably "resolves" issue 2 described here:
www.msb365.blog?p=5780
When MS decided to change from targeting resources instead of apps, several problems have been created for us & our customers. Hopefully MS will resolve this issues also on a technical level, not only adjusting the docs..
www.msb365.blog?p=5780
When MS decided to change from targeting resources instead of apps, several problems have been created for us & our customers. Hopefully MS will resolve this issues also on a technical level, not only adjusting the docs..
You can use the Grant Control of MFA together with a Sign-in frequency Session Control: Every time in the same policy which is targeting the Authentication context.
January 7, 2025 at 3:58 PM
You can use the Grant Control of MFA together with a Sign-in frequency Session Control: Every time in the same policy which is targeting the Authentication context.
CA Policy, Include Resources: All, Exclude: Another random App
Auth behaviour :
- Web: Applied
- Single-page application: NOT Applied
- Mobile and desktop applications: NOT Applied
This applies only to policies with GRANT Controls. Policies with Session controls are always applied.
Auth behaviour :
- Web: Applied
- Single-page application: NOT Applied
- Mobile and desktop applications: NOT Applied
This applies only to policies with GRANT Controls. Policies with Session controls are always applied.
December 19, 2024 at 8:07 AM
CA Policy, Include Resources: All, Exclude: Another random App
Auth behaviour :
- Web: Applied
- Single-page application: NOT Applied
- Mobile and desktop applications: NOT Applied
This applies only to policies with GRANT Controls. Policies with Session controls are always applied.
Auth behaviour :
- Web: Applied
- Single-page application: NOT Applied
- Mobile and desktop applications: NOT Applied
This applies only to policies with GRANT Controls. Policies with Session controls are always applied.
more detail about the strange behaviour:
CA Policy, Include Resources: All, Exclude: None
Auth behaviour depending on platform config of the App:
- Web: Applied
- Single-page application: Applied
- Mobile and desktop applications: Applied
CA Policy, Include Resources: All, Exclude: None
Auth behaviour depending on platform config of the App:
- Web: Applied
- Single-page application: Applied
- Mobile and desktop applications: Applied
December 19, 2024 at 8:07 AM
more detail about the strange behaviour:
CA Policy, Include Resources: All, Exclude: None
Auth behaviour depending on platform config of the App:
- Web: Applied
- Single-page application: Applied
- Mobile and desktop applications: Applied
CA Policy, Include Resources: All, Exclude: None
Auth behaviour depending on platform config of the App:
- Web: Applied
- Single-page application: Applied
- Mobile and desktop applications: Applied
Update on that one, i tested it with other app exclusions.
Its seems that, i can exclude any random app (tested with custom App or even 'Report Message').
As soon as one app is excluded from the CA Policy, when getting a token for my test app, behaviour is again the same.
Its seems that, i can exclude any random app (tested with custom App or even 'Report Message').
As soon as one app is excluded from the CA Policy, when getting a token for my test app, behaviour is again the same.
December 18, 2024 at 8:06 PM
Update on that one, i tested it with other app exclusions.
Its seems that, i can exclude any random app (tested with custom App or even 'Report Message').
As soon as one app is excluded from the CA Policy, when getting a token for my test app, behaviour is again the same.
Its seems that, i can exclude any random app (tested with custom App or even 'Report Message').
As soon as one app is excluded from the CA Policy, when getting a token for my test app, behaviour is again the same.
When removing the excluded Microsoft Intune Enrollment App, CA & controls targeted to all resources are applied even for my test app.
Other CAs targeted to specific App still 'not included', but that seems to be expected behaviour.
Other CAs targeted to specific App still 'not included', but that seems to be expected behaviour.
December 18, 2024 at 7:55 PM
When removing the excluded Microsoft Intune Enrollment App, CA & controls targeted to all resources are applied even for my test app.
Other CAs targeted to specific App still 'not included', but that seems to be expected behaviour.
Other CAs targeted to specific App still 'not included', but that seems to be expected behaviour.
On a Desktop without PRT using HTTP Requests / PS Invoke-RestMethod & OAuth 2.0 auth code grant (without client secret or cert)
BUT: I might have found the problem: CA Policy which is targeted to all resources had one App excluded: 'Microsoft Intune Enrollment'
BUT: I might have found the problem: CA Policy which is targeted to all resources had one App excluded: 'Microsoft Intune Enrollment'
December 18, 2024 at 7:55 PM
On a Desktop without PRT using HTTP Requests / PS Invoke-RestMethod & OAuth 2.0 auth code grant (without client secret or cert)
BUT: I might have found the problem: CA Policy which is targeted to all resources had one App excluded: 'Microsoft Intune Enrollment'
BUT: I might have found the problem: CA Policy which is targeted to all resources had one App excluded: 'Microsoft Intune Enrollment'
After that i'm able to use the token against Graph to read information about the user or related groups, for example:
"https://graph.microsoft.com/v1.0/me/people"
with platform configuration SinglePageApp (also public client), I'm not able to do so withour fullfulling requested CA controls.
"https://graph.microsoft.com/v1.0/me/people"
with platform configuration SinglePageApp (also public client), I'm not able to do so withour fullfulling requested CA controls.
December 18, 2024 at 12:38 PM
After that i'm able to use the token against Graph to read information about the user or related groups, for example:
"https://graph.microsoft.com/v1.0/me/people"
with platform configuration SinglePageApp (also public client), I'm not able to do so withour fullfulling requested CA controls.
"https://graph.microsoft.com/v1.0/me/people"
with platform configuration SinglePageApp (also public client), I'm not able to do so withour fullfulling requested CA controls.
In my test-App, if platform configuration of the app is 'Mobile and desktop applications' I'm able to get a token for the scope "People.Read","user.read" successfully without fulfilling MFA or compliant device requirement of CA Policy targeted to all ' resources'.
December 18, 2024 at 12:38 PM
In my test-App, if platform configuration of the app is 'Mobile and desktop applications' I'm able to get a token for the scope "People.Read","user.read" successfully without fulfilling MFA or compliant device requirement of CA Policy targeted to all ' resources'.
Okey, but it's not even included in a CA requiring compliant devices (or any other control) for "all resources' (only 'Mobile Apps and Desktop Client', not for Browser)
And why is there a difference in CA Policy evaluation between the different platforms when requesting the same scopes?
And why is there a difference in CA Policy evaluation between the different platforms when requesting the same scopes?
December 18, 2024 at 11:08 AM
Okey, but it's not even included in a CA requiring compliant devices (or any other control) for "all resources' (only 'Mobile Apps and Desktop Client', not for Browser)
And why is there a difference in CA Policy evaluation between the different platforms when requesting the same scopes?
And why is there a difference in CA Policy evaluation between the different platforms when requesting the same scopes?
Compliant Devices, Networks (also GSA) or even Block specific users from accessing certain apps.
Therefore #ZeroTrust and #SASE implementations with CA are not possible anymore. What am I missing?
@merill.net @markasimos.bsky.social
#MicrosoftSecurity
Therefore #ZeroTrust and #SASE implementations with CA are not possible anymore. What am I missing?
@merill.net @markasimos.bsky.social
#MicrosoftSecurity
December 18, 2024 at 10:29 AM
Compliant Devices, Networks (also GSA) or even Block specific users from accessing certain apps.
Therefore #ZeroTrust and #SASE implementations with CA are not possible anymore. What am I missing?
@merill.net @markasimos.bsky.social
#MicrosoftSecurity
Therefore #ZeroTrust and #SASE implementations with CA are not possible anymore. What am I missing?
@merill.net @markasimos.bsky.social
#MicrosoftSecurity
This means that, until an App is configured with a platform of 'Mobile and desktop applications' and doesn't access other resources within M365 (as usual with 3rd party Apps), CA is not able (anymore?!) to enforce controls such as
December 18, 2024 at 10:29 AM
This means that, until an App is configured with a platform of 'Mobile and desktop applications' and doesn't access other resources within M365 (as usual with 3rd party Apps), CA is not able (anymore?!) to enforce controls such as
When we do the same for a SPA or Web platform, the App is included and controls are applied as expected:
December 18, 2024 at 10:29 AM
When we do the same for a SPA or Web platform, the App is included and controls are applied as expected:
Was it really just a renaming from all 'All cloud apps' to 'All resources' or are there more changed wich are not mentioned?
When requesting a token for the platform 'Mobile and desktop applications' #ConditionalAccess policies are 'not applied' anymore because the app is 'excluded':
When requesting a token for the platform 'Mobile and desktop applications' #ConditionalAccess policies are 'not applied' anymore because the app is 'excluded':
December 18, 2024 at 10:29 AM
Was it really just a renaming from all 'All cloud apps' to 'All resources' or are there more changed wich are not mentioned?
When requesting a token for the platform 'Mobile and desktop applications' #ConditionalAccess policies are 'not applied' anymore because the app is 'excluded':
When requesting a token for the platform 'Mobile and desktop applications' #ConditionalAccess policies are 'not applied' anymore because the app is 'excluded':
Should not be the case for Privateapps. maybe if they are MAM managed --> you mentioned App Policy in the controls..
Device Filter would require an additional Policy wich blocks Devices (Control Block) and exclude Devices with correct enrollment profile name.
Device Filter would require an additional Policy wich blocks Devices (Control Block) and exclude Devices with correct enrollment profile name.
November 29, 2024 at 10:41 AM
Should not be the case for Privateapps. maybe if they are MAM managed --> you mentioned App Policy in the controls..
Device Filter would require an additional Policy wich blocks Devices (Control Block) and exclude Devices with correct enrollment profile name.
Device Filter would require an additional Policy wich blocks Devices (Control Block) and exclude Devices with correct enrollment profile name.
You could work with the Grant/Compliant Device operator in CA and a enrollment restriction in Intune. This way only selected enrollmenttypes can get a compliant state for CA.
If you use other enrollment methods for Android (MDM), maybe you could use the include Filter IN CA (personal, corporate, .)
If you use other enrollment methods for Android (MDM), maybe you could use the include Filter IN CA (personal, corporate, .)
November 29, 2024 at 6:41 AM
You could work with the Grant/Compliant Device operator in CA and a enrollment restriction in Intune. This way only selected enrollmenttypes can get a compliant state for CA.
If you use other enrollment methods for Android (MDM), maybe you could use the include Filter IN CA (personal, corporate, .)
If you use other enrollment methods for Android (MDM), maybe you could use the include Filter IN CA (personal, corporate, .)