I'm looking for a way to set up a conditional access policy that enforces very specific login methods but allows single-use TAP for the security info page only. Is there a way to create a condition that says 'all except the security info' in these policies? I noticed that while 'Register security information' is a user action, it seems to fall under 'all resources' and the exclude feature only works for resources, not specific actions. Any insights on this?
1 Answer
Unfortunately, you can't set it up to exclude the Register Security Information action while including everything else. It just doesn't have that level of granularity. That said, you might want to consider allowing TAP for all actions and then adding specific restrictions where you need them. This can give you a bit more flexibility!
Yeah, it’s a bit frustrating! But I guess it's a workaround. By the way, any idea what roles are needed to access the identity protection dashboard? I feel like I've tried a bunch, but I'm hitting a wall.