Conditional Access Policy not excluding Office 365 app

MoisesEscobar-4835 0 Reputation points
2025-02-03T19:25:53.8033333+00:00

I have some conditional access policies that check for the Network, Client apps and Target resources conditions:

AllUsers-OffNetwork-AllApps-ExcludeOffice365-DesktopMobile-12Hrs-Allow: This policy sets a 12hrs session for all the apps that used Mobile apps and desktop clients excluding Office 365.

AllUsers-OffNetwork-IncludeOfficeO365-DesktopMobile-Allow: This policy uses the default rolling window session for Office 365 only when used with Mobile apps and desktop clients.

On the "What If" page, I verified that when I set the target resource to "Office 365" AllUsers-OnNetwork-AllApps-ExcludeOffice365-DesktopMobile-12Hrs-Allow policy is not being applied.

However, when user authenticates from Outlook desktop client I see the two policies applied. The result is that I'm getting the most restrictive 12hrs session instead of the desired rolling window

Why is the AllUsers-OnNetwork-AllApps-ExcludeOffice365-DesktopMobile-12Hrs-Allow policy that excludes Office 365 being applied?

In the activity Details I see the Application is Microsoft OfficeUser's image In the policy details in the Resource section, the result was "Matched - All apps included"

User's image
It would seem there an issue with the app exclusion not being honored, or is it not possible to have two exclusive policies that use the "Mobile apps and desktop clients" client type to set different session lengths based on the target resource*?*

Has anyone run into the same problem?

Thanks in advance for your help.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,255 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sakshi Devkante 735 Reputation points Microsoft Vendor
    2025-02-04T12:32:23.1233333+00:00

    Hello @MoisesEscobar-4835

    Thank you for posting your query on Microsoft Q&A.

    Policy 1: AllUsers-OffNetwork-AllApps-ExcludeOffice365-DesktopMobile-12Hrs-Allow
    Policy 2: *AllUsers-OffNetwork-IncludeOfficeO365-DesktopMobile-Allow

    This is to be expected given that you have two rules in place that contradict one another. One policy states that the Office 365 app is included, while the other excludes it. As a result, the policy that includes Office 365 will take precedence. There was no difference when Office 365 was excluded. Therefore, you can utilize a single policy with a few adjustments to make it work.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions

    I hope this clarifies things. Please contact us if you have any additional questions.

    If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,

    Sakshi Devkante


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.