Conditional Access to block all 365 apps access unless from a Trusted location, exclude Teams

Godwin Daniel 1 Reputation point
2022-10-27T17:32:13.977+00:00

The CA is scoped for M365 apps to be blocked from any location except Trusted location, even if Teams is excluded in the app list, its still geting blocked, does this mean the list of M365 apps needs to be more granular?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,891 questions
Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
6,715 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kael Yao-MSFT 26,631 Reputation points Microsoft Vendor
    2022-10-28T03:35:54.483+00:00

    Hi @Godwin Daniel

    I tested in my lab and found that if only excluding Teams in the conditional access policy, the user would receive an error message Your Sign-in was successful but does not meet the criteria to access this resource when logging.
    And in Azure sign-in logs, a failed login event would be logged with the error message The access policy does not allow token issuance.

    Since Teams is dependent upon multiple apps (Exchange Online, Sharepoint Online and Skype for Business Online), please consider also adding these apps to the exclude list for Teams to work correctly.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.