How to exclude Microsoft App Access Panel from the Conditional Access policy?

BOIA Patricia-Daiana 61

I want a group of users only to have access to myapps and the app I created (accessible from myapps). I don't want them to have access to the AZ portal or Azure AD Powershell. What I did was to include all apps in my policy and exclude the other two. Unfortunately this way I can't access myapps too, the error is related to Microsoft App Access Panel. Can you please help me to solve it?

Thanks!

Accepted answer

Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee

2022-05-31T20:01:39.567+00:00

Hi @BOIA Patricia-Daiana ,

Currently the Microsoft App Access panel is not onboarded yet into Conditional Access policies and the product group is still working to onboard this feature. While you can select "My Apps" when setting up Conditional Access rules, myapps has an underlying dependency application that is still under development and currently cannot be excluded.

I have reached out to the product team and created a feature request to bubble this issue up with them, and have asked for an ETA. You are also welcome to create a feature request in the Ideas forum for this.

-

If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find the resolution.
Please sign in to rate this answer.

1 person found this answer helpful.
BOIA Patricia-Daiana 61 Reputation points

2022-06-01T08:44:42.313+00:00

Thank you very much for the comprehensive answer and for reaching out to the product team!

As far as you know will users with an assigned guest inviter role have the ability to do changes inside Azure AD using Powershell?

Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee

2022-06-01T19:00:25.503+00:00

Hi @BOIA Patricia-Daiana ,

Yes, users with the guest inviter role should be able to add guest users in bulk to Azure AD using Powershell, but they won't have capabilities to make changes outside of the scope of their role.

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal

Their full list of permissions is listed here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#guest-inviter

Robbie Solomon 0 Reputation points

2023-01-23T21:40:14.3166667+00:00

Can you explain when creating an SSO configuration what triggers the Microsoft App Access Panel to launch ? We have hundreds of other apps that do not launch this panel.

Sean Callahan 5 Reputation points

2024-03-18T00:17:36.7733333+00:00

Hi Marilee,

It's been 18 months. Any update on this?
Sign in to comment

2 additional answers

Jeremy Pot 16 Reputation points

2023-04-23T06:06:36.3866667+00:00

The is ridiculous that this can't be excluded! Right now, It's not possible to block all apps excluding some as it would limit the ability to setup MFA when users first sign in.
Please sign in to rate this answer.

3 people found this answer helpful.
Dan Oldenkamp 6 Reputation points

2024-01-19T20:12:40.9466667+00:00

App name: My Apps App id: 2793995e-0a7d-40d7-bd35-6968ba142197 and all associated applications: redirects to: App name: Microsoft App Access Panel Application ID: 0000000c-0000-0000-c000-000000000000 unmanagable by Conditional Access. This renders Conditional Access unable to have a block all policy excluded specific published apps. How is this not a top priority?

Čížek, Jan (KPCS CZ) 20 Reputation points

2024-02-01T15:48:57.28+00:00

It´s kinda stupid, yes.
To be honest the best I have found is to use DCToolbox to manage the policies.
https://github.com/DanielChronlund/DCToolbox
Also if you create policies using PowerShell / Graph API be advised that when creating the policy with all the specified exceptions (251 apps currently), the creation officialy fails due to timeout BUT the policy will be created most likely multiple times, so you need to do a cleanup after.
Sign in to comment
Sauer, Matt 0 Reputation points

2023-05-15T20:00:01.15+00:00

This broke all of our teams rooms as we followed the microsoft recommendations for securing the teams room login account by conditional access. It wasnt listed as one of the applications to exclude from the block policy and is not available as a selection to exclude. Fix this ASAP as it makes our teams service account vulnerable!
Please sign in to rate this answer.
Thomas Carsuzan 6 Reputation points

2023-05-16T08:03:44.9566667+00:00

Yes , we really need this feature asap to be able to block all apps except specific ones !

Čížek, Jan (KPCS CZ) 20 Reputation points

2023-10-26T11:07:42.51+00:00

Yes.... this seriously sucks. The solution that I got is to use the provided applications and specify them when creating policy. In powershell, you simply create policy and in the input JSON you specify all the apps to be targeted. This targets ALL azrue apps that can be targetted and not the "Microsoft App Access Panel" which is what is triggered when using My Apps - which can be excluded... it´s nonsense.
Sign in to comment