It seems that Microsoft pushed out a new change today that might be causing some serious issues. Conditional Access policies and exclusions based on apps are not functioning as they should anymore. We have an app registration that used to be exempt from one of our policies, but now it's listed as "Microsoft Graph" instead of the specific app name. This means none of our per app policies are working as intended; it's all reverted to Microsoft Graph regardless of what we set. I even tried creating a new policy, but the problem persists. Has anyone else experienced this? What are the potential workarounds?
1 Answer
Oh, I saw that Microsoft announced some changes regarding Conditional Access recently. They might be related to the issues you’re having. Check out their blog post for more details: https://techcommunity.microsoft.com/blog/microsoft-entra-blog/upcoming-conditional-access-change-improved-enforcement-for-policies-with-resour/4488925. It's definitely worth a look to see if there's anything that can help you sort this out.
This change sounds like a huge step backward in terms of security! I've got loads of users using custom apps who are exempt from MFA, and this change might force us to rethink our entire approach. I'll be reaching out to our Microsoft Account Manager to discuss this ASAP.