Help

Exclude Microsoft Authenticator from Conditional Access Policy

Jan_H
New Contributor II

a month ago

Hi Jamf Nation,

we are using conditional access policies in EntraID to prevent users from using private mobile devices to access our M365 Services.

However I need to Exclude Microsoft Authenticator App from this Policy but im not able to select this app in CA Policy Config.

I tried to use a filter for a device condition "device.mdmAppId -eq "4813382a-8fa7-425e-ab75-3b753aab3abb""

But i guess this attribute is not available to EntraID since Devices are not Intune but Jamf managed.

In the Device Sign In Log im able to see the block based on the Application ID for Microsoft Authenticator.

Do any of you have any ideas on how to do this?

0 Kudos
Reply
4 REPLIES 4

jeetendragupta
New Contributor II

4 weeks ago

You can exclude using the device filter option device.mdmAppId -eq "29d9ed98-a469-4536-ade2-f981bc1d605e"

0 Kudos
Reply

Jan_H
New Contributor II
In response to jeetendragupta

4 weeks ago

I have already tested this, but unfortunately it does not work. The policy does not respect this filter. Seems almost as if the device for mdmAppId must be managed via Intune?

0 Kudos
Reply

jjouyan
New Contributor II

4 weeks ago

why do you need to Exclude Microsoft Authenticatior? For the Registration, you can Excluede User Registration app for Device Compliance. 

image.png

 > https://learn.microsoft.com/en-us/mem/intune/protect/jamf-managed-device-compliance-with-entra-id

0 Kudos
Reply

Jan_H
New Contributor II
In response to jjouyan

4 weeks ago

We want to prevent users from accessing our M365/Azure resources from private devices.

I have also opened a ticket with microsoft.

Their Response:

Unfortunately, the Microsoft Authenticator App cannot be directly excluded from a Conditional Access (CA) policy. This is a known limitation, and there is an ongoing user request to enable such exclusions, but there are some workarounds you can consider:

1. Create a separate CA policy: Instead of blocking all apps, create a policy that blocks specific apps other than the Microsoft Authenticator app.

This is what we did, changed the included Apps under Target Ressources to Office365, and a few others. not quite 100% solution, but works for now.

0 Kudos
Reply