You can exclude using the device filter option device.mdmAppId -eq "29d9ed98-a469-4536-ade2-f981bc1d605e"...
Exclude Microsoft Authenticator App in Conditional Access Policy
Hi. I have an CAP blocking all cloud apps, and excluding a few apps.
This is blocking Microsoft Authenticator App causing users not to approve their MFA request.
I have not found a way to exclude Microsoft Authenticator App from the Conditional Access Policy.
Workaround is to change CAP to not include all cloud apps, but manually select apps to be included in the policy.
Anyone have any ideas if its possible to exclude Authenticator App from an CAP configured to include all cloud apps?
2 additional answers
Sort by: Most helpful
-
Matt Maher 101 Reputation points
2021-06-08T16:43:36.287+00:00 Conditional Access Policies will not let you exclude 1st party applications. There is a user voice request out there to allow CAPs to distinguish the 1st party applications and allow your scenario. Could you remove the licenses to all the 1st party apps that you do not want users to get to (e.g. SharePoint, Outlook, etc), and exclude the 1st party apps from your Block All policy? Another option you could look at is see if Cloud App Security could do something similar, but I haven't tried that.
-
Ben Nichols 6 Reputation points
2022-07-12T12:57:07.487+00:00 I am having this issue too. I need to allow a selection of users to only access Azure Virtual Desktop app (but require MFA). I can create a CA policy to include All Apps, and Exclude Azure Virtual Desktop, with an action of Block - but the users cant then approve the MFA prompts in their Authenticator App as it blocks them access to that app. The 'Microsoft Authenticator App' cant be exempted from a CA policy (but Azure Virtual Desktop, for example, can).