This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 69%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi
We have a Conditiona Policy to require Compliant Device to access any data/app in MIcrosoft 365 cloud service. We have Microsoft 365 Business Premium licenses.
We have a need to allow Guest users to access Teams teams, they are invited to. For this, we need to change our Conditional Access Policies. We would need to allow only needed apps/services in Conditional Access Policies but problem is to find the correct ones.
I started by allowing guests to access "Office 365" app. According to
doc, allowing "Office 365" app, I allow many other apps that are not required to access Teams team, at least what I have understood.
But allowing guests to access "Office 365" app without Compliant Device requirement, is not enough. When I check Sign-in logs in Entra for some guest account, I can see that guests have problem of accessing Microsoft App Access Panel -application / Windows Azure Active Directory -resource. What I have understood, guests need access to this app/resource to set 2FA.
Problem here is that I can't allow guests access these app/resource because I can't add these to the Conditional Access Policy. These are not found when I try to add these to "Target Resources" of the policy by searching with "Microsoft" or "Microsoft App" or "Windows" or "Windows Azure" and so on so that I could exclude these from the Compliant Device requirement.
In other words, I need to allow guests to access all Microsoft 365 cloud apps and all resources in Microsoft 365 cloud just to get guests to be able to access Teams team, where they are invited to.
Is this really the situation or am I missing something? How this situation should be handled?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@IMK, Thanks for posting in Q&A. Based as I know, when configure MFA for Azure management in conditional access policy, the related resource is "Windows Azure Service Management API".
For the resource "Windows Azure Active Directory" in sign in log, it seems to be with this resource as well. Please configure "Windows Azure Service Management API" to be allowed in conditional access policy for these guests to see if the issue is resolved.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
So I would need to allow Guest access for "Office 365" and "Windows Azure Service Management API" for Guests to be able to access Teams teams and to be able to register 2FA?
@IMK, On my point of view, yes, you can try.
@IMK,Hope things are going well. If there's any update after we add the cloud app, feel free to let us know.