Hello @Phil M !
I have tried the CAP with ALL Cloud Apps , and i find that it does not work well
When i narrow down the Cloud Apps as per the instructons it worked smoothly
You can also select all Management Portals
ALSO , very Important to save your time, as we read
All cloud apps
Applying a Conditional Access policy to All cloud apps results in the policy being enforced for all tokens issued to web sites and services. This option includes applications that aren't individually targetable in Conditional Access policy, such as Azure Active Directory.
In some cases, an All cloud apps policy could inadvertently block user access. These cases are excluded from policy enforcement and include:
- Services required to achieve the desired security posture. For example, device enrollment calls are excluded from compliant device policy targeted to All cloud apps.
- Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions.
- For native clients:
- Azure AD Graph: email, offline_access, openid, profile, User.read - MS Graph: User.read, People.read, and UserProfile.read
- For confidential / authenticated clients:
- Azure AD Graph: email, offline_access, openid, profile, User.read, User.read.all, and User.readbasic.all - MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read
- For confidential / authenticated clients:
- For native clients:
So , selecting ALL Cloud Apps is not suitable i beieve
Finally , if you read from the link below you will see that you are quite safe to select the Proposed Apps, and have the CAP work smoothly !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards