a month ago
Hi Jamf Nation,
we are using conditional access policies in EntraID to prevent users from using private mobile devices to access our M365 Services.
However I need to Exclude Microsoft Authenticator App from this Policy but im not able to select this app in CA Policy Config.
I tried to use a filter for a device condition "device.mdmAppId -eq "4813382a-8fa7-425e-ab75-3b753aab3abb""
But i guess this attribute is not available to EntraID since Devices are not Intune but Jamf managed.
In the Device Sign In Log im able to see the block based on the Application ID for Microsoft Authenticator.
Do any of you have any ideas on how to do this?
4 weeks ago
You can exclude using the device filter option device.mdmAppId -eq "29d9ed98-a469-4536-ade2-f981bc1d605e"
4 weeks ago
I have already tested this, but unfortunately it does not work. The policy does not respect this filter. Seems almost as if the device for mdmAppId must be managed via Intune?
4 weeks ago
why do you need to Exclude Microsoft Authenticatior? For the Registration, you can Excluede User Registration app for Device Compliance.
> https://learn.microsoft.com/en-us/mem/intune/protect/jamf-managed-device-compliance-with-entra-id
4 weeks ago
We want to prevent users from accessing our M365/Azure resources from private devices.
I have also opened a ticket with microsoft.
Their Response:
Unfortunately, the Microsoft Authenticator App cannot be directly excluded from a Conditional Access (CA) policy. This is a known limitation, and there is an ongoing user request to enable such exclusions, but there are some workarounds you can consider:
1. Create a separate CA policy: Instead of blocking all apps, create a policy that blocks specific apps other than the Microsoft Authenticator app.
This is what we did, changed the included Apps under Target Ressources to Office365, and a few others. not quite 100% solution, but works for now.