Troubleshoot Conditional access & Office app Installation Portal

cldrcc 5 Reputation points
2024-04-09T05:57:51.2833333+00:00

Dear all,

I've recently found out that all the users in my tenant could access Microsoft Entra admin panel, despite setting to YES the flag "Restrict access to Microsoft Entra admin center". Unprivileged users could see the list of ALL groups, ALL devices and ALL enterprise application in my tenant.

I've found out you can completely block access to admin portals via Conditional Access, so I've set up a rule as follows:

Users:

  • INCLUDE All users in my tenant
  • EXCLUDE All administrative roles

Target resources:

  • INCLUDE Microsoft Admin Portals, Windows Azure Service Management API

Conditions: None

Access Controls: Block Access

Now, this rule has had the expected result of completely blocking unprivileged users to access Microsoft Entra. However, it also prevents users from accessing the Office 365 app installation portal. We are giving our users A5 Student & A5 Faculty licenses, which allow them to visit office.com and download the Office 365 installer. This redirects them to portal.office.com/account/?ref=Harmony#installs, but this link does not work anymore for unprivileged users.

I've tried adding Office 365, Office 365 Exchange Online, and whatever cloud app starts with Office to the exclusions in my target resources, but the result is still the same. Depending on the exclusions, my unprivileged users get either 404 File or directory not found, or the page loads but they get an error message saying that they are not authorized.

Is there a way to fix this?

Thanks

Microsoft Entra
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2024-04-09T23:25:34.9833333+00:00

    Hi @cldrcc

    Thanks for reaching out to Microsoft Q&A

    Have you tried leaving only the Admin Portals and removing Windows Azure Service API?

    We have more information about that configuration on the documentation below, let me know if that would make sense for you.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals

    Thanks,

    Fabio


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.