Recently, an unexpected problem popped up with some ConditionalAccess policies: it is not possible to enforce controls. Applications show up as ‘excluded’ from the targeted resources when ConditionalAccess policies are evaluated. This behaviour allows users to access resources without MFA or compliant devices. This is possible for Applications which use Entra ID as Idp or […]