This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 60%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
We have noticed the following bug when using a Conditional Access policy target resource exclude filter, which uses a custom security attribute. The result is the application 'Microsoft Account Controls V2' gets excluded from a conditional access policy when it should have been included. This has obvious cyber security implications as it shows a condtional access policy not applying when it should have applied. So far we have only seen it affect the application 'Microsoft Account Controls V2', but have no idea if the impact is greater.
To emulate:
Create a custom security attribute, with a name, data type as string, and NO predefined values. E.g. Attribute Set name: 'Test', Attribute Name: 'TestCAPolicyTags'.
Create a conditional access policy with the following attributes:
Users: Target a group of test users
Target Resources: All resources (formerly 'All cloud apps'). Add an exclude filter using the above custom security attribute in a rule following this syntax example:
CustomSecurityAttribute.Test_TestCAPolicyTags -contains 'ExcludeMFA'.
Grant:
Grant Access - 'Require multifactor authentication'
The test:
Login to https://myaccount.microsoft.com using a user from the test group configured in the policy.
What occurs:
You will see in the Entra sign-in logs that the policy applies to most application as expected, HOWEVER, the logs show that the policy excludes the 'Microsoft Account Controls V2' application (application ID: 7eadcef8-456d-4611-9480-4fff72b8b9e2), as the resource is flagged as 'Not matched - App excluded'.
Normal behaviour with the policy is restored by removing the Target Resource exclude filter configured above. The policy then starts to match the application 'Microsoft Account Controls V2' and apply normally. Is there anything that we could be missing that would cause this behaviour, or is this a bug?
Hey there...
This scenario is covered in our documentation. Excluding apps from an "all resources" Conditional Access policy also excludes some underlying Graph APIs required for access things like basic account information.
"These low privilege scope exclusions don't allow data access beyond basic user profile and group information."
Thanks - that explains the behaviour we are seeing.
One question though - in that document under the heading 'Protecting directory information' it mentions to 'create a separate Conditional Access policy targeting Windows Azure Active Directory (00000002-0000-0000-c000-000000000000)' in order to protect those 'low privilege scopes'.
Given the impact on 'low privilege scopes' scopes mentioned earlier in the article, surely the same custom security attribute should also be added to the Microsoft Graph (00000003-0000-0000-c000-000000000000) application in order to protect those scopes?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 87%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
Hello wearyadmin
yes, if you are using custom security attributes to filter or exclude any apps in Conditional Access policies, and you want to ensure protection of low-privilege Microsoft Graph scopes, you should create a separate Conditional Access policy that explicitly targets the Microsoft Graph application just as Microsoft recommends doing for Windows Azure Active Directory. This dedicated policy should not include any exclusion filters, ensuring that low-privilege Graph scopes (like User.Read and openid) are always protected.