How to exclude Microsoft App Access Panel from the Conditional Access policy?

BOIA Patricia-Daiana 61 Reputation points
2022-05-31T10:39:48.567+00:00

I want a group of users only to have access to myapps and the app I created (accessible from myapps). I don't want them to have access to the AZ portal or Azure AD Powershell. What I did was to include all apps in my policy and exclude the other two. Unfortunately this way I can't access myapps too, the error is related to Microsoft App Access Panel. Can you please help me to solve it?

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,154 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 36,801 Reputation points Microsoft Employee
    2022-05-31T20:01:39.567+00:00

    Hi @BOIA Patricia-Daiana ,

    Currently the Microsoft App Access panel is not onboarded yet into Conditional Access policies and the product group is still working to onboard this feature. While you can select "My Apps" when setting up Conditional Access rules, myapps has an underlying dependency application that is still under development and currently cannot be excluded.

    I have reached out to the product team and created a feature request to bubble this issue up with them, and have asked for an ETA. You are also welcome to create a feature request in the Ideas forum for this.

    -

    If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find the resolution.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jeremy Pot 21 Reputation points
    2023-04-23T06:06:36.3866667+00:00

    The is ridiculous that this can't be excluded! Right now, It's not possible to block all apps excluding some as it would limit the ability to setup MFA when users first sign in.

    4 people found this answer helpful.
  2. Sauer, Matt 0 Reputation points
    2023-05-15T20:00:01.15+00:00

    This broke all of our teams rooms as we followed the microsoft recommendations for securing the teams room login account by conditional access. It wasnt listed as one of the applications to exclude from the block policy and is not available as a selection to exclude. Fix this ASAP as it makes our teams service account vulnerable!

  3. Ralf Larsen 0 Reputation points
    2024-06-28T12:49:08.9733333+00:00

    This is quite an old question, but one I had recently and since custom security attributes and conditional access app filters went GA in February 2024 there is now a solution.

    If you create a custom security attribute, say ExcludeFromCA of type string (needs to be string for use with CA) and set predefined values for it, for instance 'true' and 'false', then you can assign the custom security attribute to the Enterprise Application "Microsoft App Access Panel" (or any other enterprise app which isn't onboarded to CA).

    In a conditional access policy with grant type Block, you can then Include: All cloud apps and on the Exclude tab set the Filter to match the custom security attribute and 'positive' value, e.g.:

    customSecurityAttributes.myAttributeSet_ExcludeFromCA -eq 'true'

    And access to the Microsoft App Access Panel will then be excluded from the block condition. The filter can be combined in the same policy with explicit application exclusions in the 'old' way for CA-onboarded apps.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.