![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 31%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
11,684 questions
Hello @Keith D ,
Thank you for reaching out. I would like to share following details:
- Microsoft Teams is a bundle of services which is depended on various different services either on late bound or early bound access:
- Early-bound policy enforcement means a user must satisfy the dependent service policy before accessing the calling app. For example, a user must satisfy SharePoint policy before signing into MS Teams.
- Late-bound policy enforcement occurs after the user signs into the calling app. Enforcement is deferred to when calling app requests, a token for the downstream service. Examples include MS Teams accessing Planner and Office.com accessing SharePoint.
- More details available on following documentation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies
Since your policy is blocking SharePoint, users are also getting blocked when access Teams. Since Teams has an early bound dependency on SharePoint, however it is blocked in the conditional access policy you have created.
As a best practice, you should set common policies across related apps and services whenever possible. Having a consistent security posture provides you with the best user experience. For example, setting a common policy across Exchange Online, SharePoint Online, Microsoft Teams, and Skype for business significantly reduces unexpected prompts that may arise from different policies being applied to downstream services.
I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.
