Need Microsoft Authenticator App to be exempt from Conditional Access blocking Office 365 apps

Question

We are rolling out MDM_MAM solution for Corporate and Personally Owned Devices. I have created enrollment policies for Android and iOS devices, now we will ask our employees to enroll their devices via company portal.

What we have planned is, blocking all office 365 applications to all those devices which are not yet enrolled in our Intune (Corporate & Personal). Unfortunately, While doing some testing I have found that Microsoft Authenticator is also blocked with other office365 apps when I place blockade via conditional access.

Is there any way that I can exempt Microsoft Authenticator app from from blocking because we use it for MFA.

Answer 1

As far as I know Authenticator is not part of 365 Apps. Here is the complete list. concept-conditional-access-cloud-apps

What is the behavior that you have observed during your testing? Maybe use What if tool to verify which CA policies are getting applied.

Answer 2

I am testing a similar scenario.

Some users should be able to regester organisation Android devices in intune and they should only be abel te start one web application (X) and blok all the rest.

What I have done

1. Assign O365 licence+EMS3
2. Creat a CA to blok all apps (voor those users) exemption is set to Microsoft intune + application (X).
3. User can now regester there devices. Thet get the MFA app pushed fromintune
4. I have another CA that forces MFA for all apps.
5. Everything is working fine. The user kan start only application (X) with MFA.

My problem starts when I wont to activate passwordless login. The CA on point (2) is blokking the MFA application.

This can be fixed if I can add the MFA application in the exceptions of CA in point (2). But that option is not available at this moment.

Any idee how to do that?