I recently worked on a project to secure access to Azure AD integrated applications for external identities using conditional access.
The main goal was to grant external users access to 2 application but require Azure MFA and block access to all other applications (even new one’s that may be integrated in the near future), for example the Office 365 services.
So I created 2 conditional access policies for that scenario:
- All Guest Users + Include the 2 apps to grant access for, Allow but require Azure MFA
- All Guest Users + All apps (except the 2 apps to grant access for), Block
All works as designed and required but after testing with my guest account there, I tried to remove myself from the tenant via the Access Panel (https://myapps.microsoft.com)
But that failed due to permission error (Don’t have access to that application).
But why?
As you can see from the screen above you need to login to the foreign company again, where you are invited to. Doing so leads you to the Access Panel of that foreign company which of course is blocked because of the conditional access policy.
Sadly there is currently no application entry for the Access Panel so we cannot exclude that app from conditional access.
Currently the only way around it to not use “All apps” instead select all registered apps in the include list and build a proper manual process to include new applications that may be registered in the future.
I already reported this to the product group as an issue as this feature was introduced also because of GDPR is should be available even if I block access to all apps.
