Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,793 questions
How do you use a conditional access policy to block end users access to Admin Portals while allowing end users to download office from portal.office.com?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 64%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBF%3C/text%3E%3C/svg%3E)
Brian Findlay
0
Reputation points
Hi wonderful people
With portal.office.com now classed as an Admin Portal: From support
How do you use a conditional access policy to block end users access to Admin Portals while allowing end users to download office from portal.office.com?
Scenario:
CAP configured to block all access to Admin portals:
User logs in to https://www.microsoft365.com/ and clicks install:
and is presented with this:
Sign in logs indicate that the Microsoft office portal is classed as an admin portal:
If the Office 365 app is added to the exclusion:
Conditional access does not fire:
but the user is then allowed through but presented with:
If I add the user to the group that is excluded from the block policy everything loads as expected.
Any guidance would be appreciated.
Brian
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 34,626 Reputation points Microsoft Employee2024-05-02T00:08:39.18+00:00 Hi @Brian Findlay , if you use an account that is excluded from the policy altogether, can it access the portal without the 404 error? It doesn't seem like a CA issue if the users are not being blocked, unless there's a different access policy being applied.
-
Brian Findlay 0 Reputation points
2024-05-02T00:36:49.9966667+00:00 @Marilee Turscak-MSFT If I add the account to the group that is excluded from this policy (group noted in first screenshot of op) the page loads correctly. But that then gives the undesired result of allowing access to other admin portals.
I am slightly baffled as to why the office download has not been moved to the new portal but kept in the old portal and now class the old portal as an "admin" portal. This all used to work with no issue until the portal changes.
Sign in to comment