Forum Discussion
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is n...
+1, we have this same issue with other workflows, i.e. when guests need to register for MFA. Need to be able to granularly exclude apps.
- This is still an issue and has yet to be acknowledged by Microsoft. I strongly recommend anyone who is having the same problem to open a support case with Microsoft, reference these feedback and blog posts, escalate the case with your CSM, and submit a Design Change Request for the fix. The PG unfortunately is ignoring the feedback and blog posts, and this is the alternate path to get the issue in front of them.
It is imperative that a solution be found that either:
a.) Allows the exclusion of the ‘Microsoft App Access Panel’ application from Conditional Access policies, or
b.) Ensures the ‘Microsoft App Access Panel’ application does not appear in the Conditional Access login flow.
A few other URL's referencing the same issue:
https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd
https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789
https://feedback.azure.com/d365community/idea/b93ac618-4c0c-ef11-989a-000d3a0373f3
https://techcommunity.microsoft.com/t5/microsoft-entra/microsoft-app-access-panel-and-conditional-access-with-sspr/m-p/3995242
https://techcommunity.microsoft.com/t5/azure/microsoft-app-access-panel-requires-mfa-but-we-didn-t-enable-it/m-p/2974311
https://learn.microsoft.com/en-us/answers/questions/871216/how-to-exclude-microsoft-app-access-panel-from-the
https://techcommunity.microsoft.com/t5/microsoft-entra/conditional-access-policies-guest-access-and-the-quot-microsoft/m-p/2779133
*UPDATE July 2024* - Microsoft Support has a workaround for this issue. We followed the steps provided and now have Microsoft App Access Panel available to us as an app in Conditional Access. They asked me to not post the workaround publicly and instead advise customers to contact Microsoft support for the workaround.Do you have a ticket number that we could reference? Microsoft Support is telling us this workaround to make the Microsoft App Access Panel available to Conditional Access policies does not exist. We've had this ticket open for 3 months now.
Scott
I don't know what the Microsoft method was but I was able to get this working by creating a custom security attribute, assigning it to the access panel object & then adding an exclusion filter in my CA policy to exclude apps that matched the custom attribute. All working now.
CommsGuys1855 is there a case we can reference for the July Workaround. I'm having difficulties getting past the front line(s)
I don't know what the Microsoft method was but I was able to get this working by creating a custom security attribute, assigning it to the access panel object & then adding an exclusion filter in my CA policy to exclude apps that matched the custom attribute. All working now.
CommsGuys1855 Can the workaround they provided apply to any service / app that gets blocked by CA?
I don't know what the Microsoft method was but I was able to get this working by creating a custom security attribute, assigning it to the access panel object & then adding an exclusion filter in my CA policy to exclude apps that matched the custom attribute. All working now.
& in theory yes, you can apply an attribute to any service app and use the filter to exclude.
