Problem with "exclude" user/target resource in conditional access policy

Question

Hi, I have been trying to restrict 1 user to access only 1 app on Azure Entra ID, so I use the condition access policy under security tab.

I have put the conditions as follows:

• user: userx@microsoft.com
• Target Resources: Include All cloud apps & Exclude App X
• Grant: Block access

The end result I need is to block the userx from all cloud apps except for the App X.

I test this multiple times but seems like the userx got blocked from all apps including the App X as well even though I already assign the userx to the App X

So, I am wondering why "exclude" is not working in this particular case?

Is there a possible way to achieve my requirement using conditional access? or there are other approaches?

If there are other approaches, please do guide me with the solution.

Thank you

Answer 1

You say you have put " conditions" but what you want aren't all conditions. That might just be how you've phrased it but I think you need:
Assignment: Specific user included (userx@microsoft.com)
Target Resources: Include all cloud apps, exclude App X
Grant: Block Access

Have you tried looking at the logs when the user logs in? You should be able to see exactly which conditional access policy rules get triggered and how access is being granted.
The logs are available in the portal in Conditional Access under monitoring and you can filter to a particular user. Click the entry for a details pane.

Hope this helps