AAD Conditional Access Policy not applying to App Registration

The_Russeller_1 6 Reputation points
2021-09-03T15:44:24.5+00:00

I have recently registered an enterprise app in my tenant which is being used by users on MacOS and IOS devices to authenticate using their corporate identity. The conditions in the policy are below;

Specific users
MacOS and IOS platforms
Cloud app is specified
Grant access only when authenticated with MFA

Within the AAD sign in logs, i'm not seeing that the CAP is being applied - looks like the conditions are not matching with the Application name and therefore is not applying the conditional access policy.

However...

When selecting all cloud apps in the CAP MFA is being required at sign in and the policy shows it's been enforced as the CAP has matched with the application name - this is also the same results when I select the newly registered app and other built in apps such as O365 - the CAP is then being applied.

The resource ID listed in each of the sign ins are as shown below;

Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000

The resource id: 00000003-0000-0000-c000-000000000000 - is actually for the GraphAggregratorService - I have set specific application permissions along with delegated API permissions for the app registration but I'm still receiving the same results.

Without the ability to see any kind of advanced monitoring when the users attempts to sign in and not being able to see exactly what's happening at the backend i'm struggling to understand why the CAP policy to enforce MFA does not work when just assigned to this single cloud app but when combined with others it does work.

Any thoughts would be appreciated?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,137 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fabbris Christian 5 Reputation points
    2023-03-02T20:17:46.9+00:00

    This is an unexpected behavior MS doesn't admit. As soon as you have an exclusion in the CAP, other applications with a specific set of graph api permissions (I don't remember which ones, but they are 5 common api permissions) are excluded as well.
    If you select all Cloud apps everything is ok. This is happening when your specific app is not selectable in the scope of the CAP.
    MS suggested to add dummy API permissions to the app, but we tried and it didn't work. I hope they will fix it soon.

    1 person found this answer helpful.
    0 comments No comments