Conditional Access Admin Portal

Hello, I am testing out conditional access, i am targeting web browser and select cloud apps. I have it working perfectly for Sharepoint,outlook,azure portal, but it will not prompt for MFA for []( or the admin tile inside the portal. I have tried multiple browsers,users and devices and they all prompt for sharepoint,outlook,azure but not for the main portal or the admin tile. If i select all cloud apps it prompts as expected so that tells me i am not choosing the right cloud app, does anyone know the name of the cloud app i need to choose.


Thank you!

View Reddit by Pirated_FreewareView Source

2 thoughts on “Conditional Access Admin Portal

  1. toanyonebutyou says:

    It used to do this when you protected exchange or sharepoint browser access with MFA, that is not the case anymore.

    It is not really an issue though as anyone that has admin access should have MFA on their entire account, not just on certain apps with conditional access. Otherwise you could be at risk.

  2. Oliver_Townshend_Esq says:

    Think of it this way:

    You protect the data and settings behind the apps. Not the apps themselves.

    Azure AD is the CA/authentication gatekeeper. You use the apps selection in the CA settings as filters.

    Logic in practice:

    Your admins have access to everything, so the logic is that you should explicitly force MFA always for admins. No CA for admins. No policy like “this app but not that app” for admins. No need to filter out certain admin-related apps. No need for an app called “admin button” or whatever. Microsoft wants you confirming to best practice.

    Other users have less access. You may want to enable MFA for all apps EXCEPT certain apps, a.k a. “filter”. There are use cases for SPO as an exception/filter, but there should never be a real use case for “entire portal” or “the admin button” for users. It wouldn’t make sense because users don’t have admin access and they require the portal. If you think you need such a policy, you may want to start over with your CA rule, or rethink your security practices in general.

    This filter-out, a.k.a. inclusive logic applies to almost everything built into CA policy, so get used to thinking that way.

    Hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *