How to exclude an enterprise app from conditional access policy

anonanonanon 21 Reputation points

So we have a CA policy that is designed to disallow access to Office365 cloud from non-approved devices. Specifically:

  • Applies to all users
  • Cloud app: Office365
  • Conditions: Platforms: iOS, Android; Client apps: Mobile apps and desktop clients
  • Grants: Require MFA, Require approved client app

This works great. People on iPhones, for example, have to use MS Outlook to access their O365 based email.

However, we'd like to allow some 3rd party apps to connect to Office. For example, we use Rocketbooks and I'd love to let the iOS Rocketbook app send scans to OneNote. Easy enough I thought: just add Rocketbook to the "excluded" list for cloud apps. This doesn't work. When I try to set up OneNote as a "destination" in the Rocketbook iOS app, it tells me "you can't get there from here. It looks like you're trying to open this resource with an app that hasn't been approved..."

Looking at the sign in log, under conditional access, I see a failure for the above policy. What seems (to me) to be the issue is that it finds a match under application assignments for Rocketbook. But I excluded Rocketbook, so why is it matching?

The relevant details of the failed sign in are below:

  • Failure reason: Application does not meet the conditional access approved app requirements.
  • Application: Rocketbook
  • Application ID: c538f3e2-0bd2-467b-a9b4-9894989d4db0 (this matches the enterprise application we have set up in AAD, and the app I excluded in the policy)
  • Resource: Microsoft Graph
  • Client app: Mobile Apps and Desktop clients

I also tried excluding OneNote from the policy and that doesn't work either. Am I interpreting the failure details incorrectly? The only way this makes sense to me is if the "Rocketbook" being reported in the failure log is the client app, and CA policies aren't able to target specific client apps. If that is the case, is there any other way to do this without removing the "require approved client app" requirement? I couldn't think of any way to create multiple overlapping policies to enforce the first requirement we have while allowing these kind of 3rd party client apps.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,299 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Jonathan G 26 Reputation points

    Greetings! Curious what resolution you found on this? I'm in the exact same boat, having the CA policy set for approved apps and needing to grant access for Rocketbooks also.

  2. Andy Kilgore 21 Reputation points

    Was anyone able to find a solution for this? I am running into a similar scenario where my app exclusion does not seem to actually work for "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423)
    Conditional access policy requires:

    • approved client app and app protection policy.
    • Scoped to all apps
    • Set to specifically exclude "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423)

    Despite this my sign in log errors clearly report this policy as blocking because the app matches the inclusion scope... does "included app" take priority over "excluded app" preventing this from working?

    0 comments No comments

  3. Samuel Miller 1 Reputation point

    Removing OBE info

    0 comments No comments

  4. Faisal Saleem 1 Reputation point

    I encountered a similar issue and upon investigation, I discovered that the application had a dependency on 'My Apps.' Even though my app was supposed to be excluded from the conditional access policy, it wasn't being excluded because of this service dependency. Therefore, I also excluded 'My Apps,' and then my conditional access policy started functioning as expected.

    So, if you notice 'My Apps' in the Application section of your sign-in logs, exclude both and it should resolve the issue.

    0 comments No comments