Azure AD: Disabled tenant self-removal by accident with conditional access


Access Control

I recently worked on a project to secure access to Azure AD integrated applications for external identities using conditional access.

The main goal was to grant external users access to 2 application but require Azure MFA and block access to all other applications (even new one’s that may be integrated in the near future), for example the Office 365 services.

So I created 2 conditional access policies for that scenario:

  1. All Guest Users + Include the 2 apps to grant access for, Allow but require Azure MFA
  2. All Guest Users + All apps (except the 2 apps to grant access for), Block

All works as designed and required but after testing with my guest account there, I tried to remove myself from the tenant via the Access Panel (https://myapps.microsoft.com)

SelfRemoval

But that failed due to permission error (Don’t have access to that application).

But why?

As you can see from the screen above you need to login to the foreign company again, where you are invited to. Doing so leads you to the Access Panel of that foreign company which of course is blocked because of the conditional access policy.

Sadly there is currently no application entry for the Access Panel so we cannot exclude that app from conditional access.

Currently the only way around it to not use “All apps” instead select all registered apps in the include list and build a proper manual process to include new applications that may be registered in the future.

I already reported this to the product group as an issue as this feature was introduced also because of GDPR is should be available even if I block access to all apps.

Advertisements

Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.