PowerApps service is not compatible with Entra Conditional Access (CA) Policies today what makes it impossible to create a CA policy that will block access to all cloud applications except “PowerApps”.
It is a blocker for “Zero Trust” implementation for all customers working on Zero Trust strategy.
Need:
We need to ask PowerApps PG to make this scenario* work.
*Scenario = create a CA policy that will block access to all cloud applications and allow to exclude PowerApps.
“If you’re using Conditional Access polices to limit access to Power Platform and it’s features, the following apps must be included in Cloud apps policy application:
• Dataverse
• Power Platform API
• PowerApps Service
• Microsoft Flow Service
• Microsoft Azure Management”
We tested making exceptions in CA for 5 services that could make it work based on the link above (it is for “inclusion” so we assumed it should work for “exclusion” as well), but it didn’t help.
We consider the current design to be inadequate and requested a Design Change Request (DCR) through the support ticket, but this request was rejected as "there are no plans to address it".
Our main concern is that the current design forces us to exclude all PowerApps users from the global block CA policy, allowing them default access to all cloud applications.
So I do get what your saying but I am a little tiny bit confused if you could help.
Let's say I have 10 Canvas or Model Driven apps. If I do not share them to them or a security group added to the app instead, they are not available to people to use aside from the specific admins and owners of the app.
So when you say you want to give them access to all your cloud applications, what is a cloud application exactly? Is it extensions on D365, or Specifically items only set for Power Apps.
You are saying making exceptions for 5 services.
Can you please give a more (use fake app names) but more details than "cloud applications" so it will be easier to help.
P.S. Blocking people from using Default is essentially impossible, you need to have policies around using Connectors etc but actually blocking them from that no.
Thanks
Was this reply helpful?YesNo
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Share
Report
All responses (
Answers (
53,335
