Share via

Unable to use Azure API Connections in Conditional Access Policy

Neil Adams 0 Reputation points
2023-12-21T09:08:23.6266667+00:00

Hi-

We're trying to use wrap to publish stand alone PowerApps to a user work phones. This has itself been a long process but have now got a published app deployed but is being stopped by conditional access policy.

The sign-in logs show the below error which means we need to allow The Azure API Connections resource in the policy:

User's image

However, when you search for that app in the policy list it isn't displayed:

User's image

That search only returns anything that Azure classes as an Enterprise Application.

Does anyone know how we can enable this in the policy?

Many thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-12-22T21:20:50.8966667+00:00

    Hi @Neil Adams ,

    The Azure API connections app is by design not available for selection/exclusion in CA policy. If your policy includes "All cloud apps", the Azure API connections resource (fe053c5f-3692-4f14-aef2-ee34fc081cae) will be evaluated since this is a first party app that cannot be excluded.

    Applying a Conditional Access policy to All cloud apps will result in the policy being enforced for all tokens issued to web sites and services. This option includes applications that aren't individually targetable in Conditional Access policy, such as Microsoft Entra ID/Azure AD.

    Note that not all Microsoft Entra ID/Azure AD apps are available for selection/exclusion in Conditional Access because not all the apps are meant to have a CA policy applied directly to them. You can review this info and the list of available apps in the article Cloud apps, actions, and authentication context in Conditional Access policy - Microsoft Entra | Microsoft Learn.

    There are two possible solutions/workarounds for your scenario:

    1. One possible solution would be to try the Filter for apps feature Filter for applications in Conditional Access policy to tag the Azure API connections app with a custom attribute and then exclude it from the CA policy.
    2. Another workaround for this would be to make the Conditional Access Policy more granular to not include "All cloud apps."

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.