Conditional Access - Users cant access portal.microsoftonline.com to change their passwords

Question

Hi,

I have blocked access to Microsoft Admin portals via Conditional Access.
When users want to change their passwords using CTRL-ALT-DELETE from their computers they are being redirected to https://portal.microsoftonline.com but access is denied.

Getting following message:

You don't have access to this

Your sign-in was successful but you don't have permission to access this resource.

Anyway to exclude this portal?

Answer 1

@TU, Thanks for posting in Q&A.

From your description, I know users cannot change their passwords because you have created a conditional access to block Microsoft Admin portal.

Based on my research, currently, when a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:

Azure portal

Exchange admin center

Microsoft 365 admin center

Microsoft 365 Defender portal

Microsoft Entra admin center

Microsoft Intune admin center

Microsoft Purview compliance portal

Microsoft Teams admin center

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals

If you want to block users accessing some specific portals, you can block them in detail not block them all.

Or you can unassign the policy and after users change their passwords, then re-assign the policy.

Moreover, in the Grant session, you can set up the settings to allow users who meet the criteria to access it.

Hope above information can help you.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.