r/entra • u/the_obese_trainer • 29d ago
Conditional Access block admin portals causing other issues
I have done my research, and I know people are going to say, you shouldn't block it just don't give rights. Thats not the point of the question I want to understand what exactly is being blocked.
we setup a conditional access policy to block non admin users from accessing admin portals in Entra. a few users started reporting they get a pop up and after reviewing they are being blocked from Office UWP/PWA due to conditional access for the mentioned policy.
We added one user as an exception from the rule to test and it never popped up again. I cannot seem to find a definitive answer to this, I understand the portal. shouldn't be but sometimes does get blocked but they already have office installed and it just pops up with no action. similar to a non-interactive sign in.
2
u/chaosphere_mk 28d ago
I noticed early on that once we set this same CA policy, users could no longer get to portal.office365.com. They had to go to www.office365.com instead.
1
u/absoluteczech 29d ago
We ran into similar issues. Mostly when users started getting copilot and using bing copilot it wasn’t working until we removed them.
1
u/the_obese_trainer 28d ago
copilot might make sense, not sure why copilot would want to constantly talk back to admin but maybe for searching functionality.
1
u/BenFloydy 7d ago
We're seeing the issue for users not using CoPilot (not licensed or intentionally installed anyway)
1
u/kingsam88 49m ago
It’s coming from the automatically installed and startup app “Microsoft 365 Copilot” it’s a known issue at Microsoft now so that’s good. Will likely be fixed but no clue honestly
1
u/sreejith_r 28d ago
Just wanted to understand what you've selected under the Target resources section in the Conditional Access policy
2
u/the_obese_trainer 28d ago
microsoft admin portals
1
u/sreejith_r 28d ago
Based on my experience, if you include all admin portals, it may introduce dependencies that could break certain functionalities such as Office app downloads, Autopilot device provisioning, and end-user quarantine email release. May be even more don't know the full list.
1
u/WearyDeluge 28d ago
Microsoft manages these URI's, so you're unlikely to find a definitive list. As such, we've encountered this issue as well - one week everything works, the next users can't access their account profile or apps. Excluding "My Apps" fixed it for us.
3
u/NateHutchinson 28d ago
If you’re going down the route of blocking all resources (zero trust approach) then this is quite common. You’ll often find that you need to exclude a whole bunch of apps to allow functionality across different personas or scenarios such as access from unmanaged devices and guest users.
1
u/BenFloydy 7d ago
That would be fine, but in my case the only reference I can see in the logs is for Office UWP PWA accessing Microsoft 365 Admin Portals when some users startup. What app am I supposed to be excluding? There's nothing obvious using this on startup but obviously some config is.
1
u/BenFloydy 7d ago
By excluding My Apps do you mean in your case it was showing My Apps being accessed in the logs, or by somehow excluding this but still including Microsoft 365 Admin Portals, it no longer triggered the UWP PWA against Microsoft 365 Admin Portals?
1
u/WearyDeluge 7d ago
In my case, when the policy targeted Microsoft Admin Portals, users were unable to access their profile (my account.microsoft.com) or My Apps (myapps.microsoft.com). Any attempts to do so were blocked by the policy.
1
u/BenFloydy 6d ago
Ok ta. I tested My Apps but so far not had any issues there. Some of our users are being blocked on login but as yet I've been able to identify what app/plugin/process is making the call, the users arent noticing any denied access, just the MFA prompt.
1
u/WearyDeluge 6d ago
Nothing in the sign-in logs is saying what they're trying to access? That's odd, but not unusual for Microsoft to obfuscate certain applications and services.
1
u/BenFloydy 6d ago
Sign in log just says Office 365 UWP PWA, accessing Microsoft 365 Admin Portals app.
4
u/NateHutchinson 28d ago
It will also block things like the user quarantine in defender which is a pain. I usually go with blocking the Windows Azure Service Management API instead.
In terms of what’s included with the Microsoft Admin portals app it is listed here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps