Currently conditional access policies can be scoped only to individual applications.
This has strong limitations:
* No more than hundreds of applications per policy
* In large environments with lots of applications, this gets very complex and unmanageable
* Changes to Conditional Access policies are always risky and should be minimized
* Microsoft Graph for Cond. Access is only available in delegated scope, which prevents secure scripting and automation
All these issues can be solved by the following set of features:
* Provide a mechanism to group apps
* Allow CA policies to be scoped to these app groups
Depending on the implementation, this envisioned concept can have overlap with the existing MyApps application collections or the wish to attach "tags" to applications.
There should be one generalized concept for all these requirements.
Hi Daniel, great to hear that MSFT is looking at this option. Any eta on when this might show up on the roadmap?
I really like this idea.
Were tags to get added to managed this, the ability to view, sort and filter by tags in the Enterprise Applications view would be important.
Smith, Chris commented
Absolutely brilliant, this is much needed!! Would love to see these "tags" conceptually extend to Applications getting to use the Sensitivity Labels notion, so all apps within a certain sensitivity class could have common CA policies applied. Thanks!
The group Microsoft published is actually called "Office 365 (preview)". This groups all of the main O365 workloads like Onedrive, SharePoint, Exchange. This is a good step but providing the ability for customers to manage their own groups is what we really need.
Allow the creation of custom application groups that allow us to managed our own grouping of applications for use within the Conditional Access Policies.
MSFT released a group called "O365 apps" recently which is good, but we would love the ability to manage our own groups. It would make the management of the policies so much more flexible and efficient.