I have recently registered an enterprise app in my tenant which is being used by users on MacOS and IOS devices to authenticate using their corporate identity. The conditions in the policy are below;
MacOS and IOS platforms
Cloud app is specified
Grant access only when authenticated with MFA
Within the AAD sign in logs, i'm not seeing that the CAP is being applied - looks like the conditions are not matching with the Application name and therefore is not applying the conditional access policy.
When selecting all cloud apps in the CAP MFA is being required at sign in and the policy shows it's been enforced as the CAP has matched with the application name - this is also the same results when I select the newly registered app and other built in apps such as O365 - the CAP is then being applied.
The resource ID listed in each of the sign ins are as shown below;
The resource id: 00000003-0000-0000-c000-000000000000 - is actually for the GraphAggregratorService - I have set specific application permissions along with delegated API permissions for the app registration but I'm still receiving the same results.
Without the ability to see any kind of advanced monitoring when the users attempts to sign in and not being able to see exactly what's happening at the backend i'm struggling to understand why the CAP policy to enforce MFA does not work when just assigned to this single cloud app but when combined with others it does work.
Any thoughts would be appreciated?