Block all but one app in conditional access (Azure AD)

Question

Hi!
I'm trying to create a conditional access rule using the logic "Block all but X", the issue is when I try to apply this in one single Conditional Access Policy.

I created a Conditional Access Policy with the "Grant" being "Block access" to be applied to "All cloud apps" excluding one specific app, also created an "Allow Register security information" for this users .

The result is that the new user are not able to register the required security details and I can not exclude the "Microsoft App Access Panel"(1) nor the "O365 Suite UX" (2) because they are "UnSupportedFirstyPartyApplication"(3)

So does anyone found a way to apply restrictions following the logic of "block first, allow case by case" or do I / (we the users) have to live with this the "Allow all, block selected" way, or yet, am I completely out of sync with the philosophy of the conditional access function?

• tests done in (1) early November and (2) today
  (3) message obtained while using powershell to add the exemption condition

Answer 1

Hello @Ezeq , provided the application is not a 1st party application (the ones belonging to the tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a) you can apply the "block all by allow some" logic. For a list of Microsoft built in application supported by Conditional Access take a look here. You can also use the Office 365 application (preview) which includes a list of key applications which can be included or excluded like a whole or on a per application basis.

Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.