WF-PHG highlights a Conditional Access policy issue in Microsoft Entra ID: the inability to configure access exceptions for the ‘Windows 365 Portal’ when only Azure Virtual Desktop and Security Info should be accessible for external users.

Conditional Access Policy Application Not Found in Target Resources

Author: WF-PHG

Scenario Overview

WF-PHG describes a scenario where Conditional Access (CA) policies are set for external users (created in AD and synchronized to Entra ID). The policy blocks access to all Microsoft 365 resources except:

  • Azure Virtual Desktop (Resource ID: 9cdead84-a844-4324-93f2-b2e6bb768d07)
  • Security Info (for MFA setup)

Issue Encountered

With Microsoft rolling out the new Windows App (intended to replace the old Remote Desktop app and web interface), the author attempted to use:

  • Windows App installed on a PC: Accessed Azure Virtual Desktop successfully using Windows 365 Client (Application ID: 4fb5cc57-dbbc-4cdc-9595-748adff5f414, Resource ID matches Azure Virtual Desktop).
  • Windows App web interface (https://windows.cloud.microsoft/): Attempted sign-in results in access denied. The sign-in logs show the attempted resource is:
    • Application: Windows 365 Portal
    • Application ID: 3b511579-5e00-46e1-a89e-a6f0870e2f5a
    • Resource: Windows 365 Portal
    • Resource ID: 3b511579-5e00-46e1-a89e-a6f0870e2f5a

Policy Configuration Limitation

  • The author cannot find Windows 365 Portal in the list of applications that can be set as an exception in the CA policy.
  • The closest match, Windows 365, does not resolve the access problem, as it uses a different resource ID.

Questions Raised

  • How can administrators allow access to Windows 365 Portal via the CA policy if it cannot be found in the target resource list?
  • Is there a workaround or update required from Microsoft?

Key Technical Details

  • Synchronized users between Active Directory and Entra ID
  • Resource IDs and Application IDs explicitly listed for troubleshooting
  • Differentiation between desktop client and web interface access flows

Summary

This scenario highlights a technical limitation in CA policy resource targeting, particularly with new service endpoints (such as the Windows App web interface) that may not yet appear in admin configuration tools. Resolution likely requires Microsoft support escalation, new documentation, or product updates affecting resource visibility in Conditional Access.

This post appeared first on “Microsoft Tech Community”. Read the entire article here