Client Tenant Conditional Access block Exchange Powershell #1098
Replies: 1 comment 1 reply
-
|
So this is something we actually have a minor fix for; it ain't perfect but a lot better than just excluding Exchange Online. You can add the CIPP Azure Function addresses as a trusted location and exclude it from your policies. There's a premade script for this in CIPP settings -> Maintenance scripts by @JohnDuprey. :) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick reply! |
Beta Was this translation helpful? Give feedback.
-
Hey Kevin! Huge fan of your work.
TL/DR: I've run into an issue I haven't been able to find a solution to in your documentation or any of the discussions here, so I'm hoping that you or someone who might have more insight than me can help. How can I Exclude the CIPP user or Application from CA on a guest tenant?
First, let me say that we are a CSP and I deployed the CIPP Dashboard in Azure and it works great! It's quick, snappy, all the way up to date (Last I checked), using Powershell 7.2 and every single module works perfectly. Occasionally I get random errors but they mostly resolve themselves after a refresh.
For our client's security, we use a number of Conditional Access policies to prevent stuff like unauthorized countries, legacy devices, basic authentication, enforcing MFA, etc.. as it turns out, one of these is blocking CIPP from logging on with Exchange Online Powershell. The "Tenant Access" works fine even with all the CA turned up to 11, but the Exchange access does not. Here's the specific error when I run a permissions check:
Failed to connect to Exchange: Failed to obtain Classic API Token for - {"error":"interaction_required","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2022-08-31 16:47:25Z","error_codes":[53003],"timestamp":"2022-08-31 16:47:25Z","trace_id":"","correlation_id":"","error_uri":"https://login.microsoftonline.com/error?code=53003","suberror":"message_only"}
When I check the sign-in logs on the client tenant, I see that Conditional Access is indeed blocking the account set up on the parent CSP/CIPP application. The specific policy is "Block Unsupported Device Platforms", where I BLOCK access by ALL devices that aren't specifically Android, iOS, MacOS, or Windows.
When looking at the Sign-In Activity details for the failure event in the client tenant, I have a few more details. There is no device info registered with the login attempt, and the location bounces around (Azure Datacenter behavior I guess?). This means I can't exclude based on IP or device type.
Obviously, the workaround is to add something to either my "Exclude from CA" group where I have certain apps and users who are allowed to bypass this, or by nerfing this policy or disabling it. I think this is a great policy to have, so I don't want to do the former. The problem is that I can't seem to enter the any ID, username of the CIPP user, or application ID into my Exclude from CA group, nor can I add any exclusions to the policy for just Exchange Online Powershell or the CIPP application. The problem is because these applications and user is not located on the guest Tenant and CA doesn't know how to add something that it doesn't have in its own list of app or user choices.
For now, my only workaround is by excluding the entire Exchange Online Application from this CA policy which is not ideal. Let me know if you or anyone else has any suggestions!
Beta Was this translation helpful? Give feedback.
All reactions