This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 98%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
So we have a CA policy that is designed to disallow access to Office365 cloud from non-approved devices. Specifically:
This works great. People on iPhones, for example, have to use MS Outlook to access their O365 based email.
However, we'd like to allow some 3rd party apps to connect to Office. For example, we use Rocketbooks and I'd love to let the iOS Rocketbook app send scans to OneNote. Easy enough I thought: just add Rocketbook to the "excluded" list for cloud apps. This doesn't work. When I try to set up OneNote as a "destination" in the Rocketbook iOS app, it tells me "you can't get there from here. It looks like you're trying to open this resource with an app that hasn't been approved..."
Looking at the sign in log, under conditional access, I see a failure for the above policy. What seems (to me) to be the issue is that it finds a match under application assignments for Rocketbook. But I excluded Rocketbook, so why is it matching?
The relevant details of the failed sign in are below:
I also tried excluding OneNote from the policy and that doesn't work either. Am I interpreting the failure details incorrectly? The only way this makes sense to me is if the "Rocketbook" being reported in the failure log is the client app, and CA policies aren't able to target specific client apps. If that is the case, is there any other way to do this without removing the "require approved client app" requirement? I couldn't think of any way to create multiple overlapping policies to enforce the first requirement we have while allowing these kind of 3rd party client apps.
One additional data point... we had a similar ask to be able to connect iOS Calendars to Office. I excluded the "Apple Internet Accounts" cloud app from the policy in the OP and that worked fine. The successful sign on event shows "Apple Internet Accounts" as the application, just like "Rocketbook" shows up for the failure. Why does one work but not the other?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
@anonanonanon Thanks for posting in our Q&A.
I have not meet such a problem. Maybe this article on Conditional Access policies can explain your doubts.
In order to quickly identify the root cause. It is better to create an online support ticket to handle this issue. It is free. Here is the online support link and hope it will be resolved as soon as possible.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Thanks for your understanding.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Greetings! Curious what resolution you found on this? I'm in the exact same boat, having the CA policy set for approved apps and needing to grant access for Rocketbooks also.
Unfortunately I never did figure out the solution. We just gave up on integrating rocketbook into our org. Sorry.
Yeesh, okay. Appreciate the quick response! I've actually opened a ticket with MS Support on this. Will respond if I get anywhere in case others wish try to implement this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 32%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Same situation here. Looking forward to hearing about your progress with MS. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 21%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Hi Jonathan,
Have you been able to figure out this? I'm in the same boat :(
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 24%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
We didn't, sorry!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 96%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Without going into details beyond what I can appropriately share, I have recently been the owner on a SEV A issue for this exact topic that was also flagged as "political" since it involved a VIP at our agency on official duty - Creating an app exception in CA against "all cloud apps". It received the highest attention for a number of days and was heavily escalated. The resulting output from MSFT support (beyond the specific details needed in our case for a different app that doesn't apply here) was an acknowledgement that there is no current ability for an Entra ID admin to address these issues independently. In most cases, apps are making connections to multiple cloud resources well beyond what is represented in the customer facing logs. Additionally, in many cases app id's do not match what's shown in logging. More often than not, the actual information needed to address these issues is only available in back-end logging that is only accessible to MSFT support/PG. To address this issue you must open a support ticket for your exception that appears correct but is not working and then they will pull the logs and tell you the actual correct exception needed. If its any consolation, they have also mentioned an internal effort is already in action to improve on this limitation as they know it is not sustainable for support tickets to be the only possible solution in these situations with CA.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 75%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Was anyone able to find a solution for this? I am running into a similar scenario where my app exclusion does not seem to actually work for "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423)
Conditional access policy requires:
Despite this my sign in log errors clearly report this policy as blocking because the app matches the inclusion scope... does "included app" take priority over "excluded app" preventing this from working?
Removing OBE info
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 50%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
I encountered a similar issue and upon investigation, I discovered that the application had a dependency on 'My Apps.' Even though my app was supposed to be excluded from the conditional access policy, it wasn't being excluded because of this service dependency. Therefore, I also excluded 'My Apps,' and then my conditional access policy started functioning as expected.
So, if you notice 'My Apps' in the Application section of your sign-in logs, exclude both and it should resolve the issue.