Add more native Cloud Apps to conditional base access
Currently there is only a small set of Cloud Apps available in the Cloud App section to in- or exclude in conditional based access.
My current configuration blocks all access to all Cloud Apps except the user is either member of a exception group or i excluded an application explicitly (e. g. Exchange Online or Sharepoint) or the device is marked as compliance (Intune) or the device is coming from a trusted location.
My first problem is, that i cannot onboard devices outside the company without adding the users to the exception group. The Intune Webportal (https://portal.manage.microsoft.com) is not part of "Microsoft Intune Enrollment"-App. So users to being member of the exception group run into a blocked access site from conditional access.
My second problem is, i cannot exclude office.portal.com from the Main-Block-All-Policy because the AppID (00000006-0000-0ff1-ce00-000000000000) is not part of any Cloud-App. I want to allow users to install the Office Suite on their own devices but i don't want to allow access to all O365-resources.
Currently - as the support stated out - there is no possibility to achive my aim.
As far as i can see, the conditional access mechanism can see the blocked application as it shows me the application ID in the detail-information of the Blocked-Access-prompt.
Also, i have no possibility to except the multifactor-authentication-configuration-page (https://aka.ms/MFASetup) for the users.
In my opinion this is a common way to rollout cloud-resources in a restrictive way. Allowing all and then blocking some applications is not a good way to all access to cloud services. Especially if you look at the high attack rates at cloud services.
I would like to have the abbility to either add those Microsoft native apps for my own (knowing the AppIds being blocked) or choosing this apps from Cloud App.
Conditional Based Access is a so wonderful solution, it would be a real advantage if we could configure it in that way.