Conditional Access to block all 365 apps access unless from a Trusted location, exclude Teams

Godwin Daniel 1 Reputation point

The CA is scoped for M365 apps to be blocked from any location except Trusted location, even if Teams is excluded in the app list, its still geting blocked, does this mean the list of M365 apps needs to be more granular?

A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,040 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor

    Hi @Godwin Daniel

    I tested in my lab and found that if only excluding Teams in the conditional access policy, the user would receive an error message Your Sign-in was successful but does not meet the criteria to access this resource when logging.
    And in Azure sign-in logs, a failed login event would be logged with the error message The access policy does not allow token issuance.

    Since Teams is dependent upon multiple apps (Exchange Online, Sharepoint Online and Skype for Business Online), please consider also adding these apps to the exclude list for Teams to work correctly.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Richard Herdt 0 Reputation points

    Hi together,

    we have the same issue. We have to Block all Microsoft 365 Apps but leave Microsoft Teams open.

    How we can block the access to the Apps but can Log in to MS Teams?

    Did you know something abot the solution ?

    0 comments No comments