0

I have applied Conditional Access policy in Azure AD for some users to block access to Microsoft Teams. But I still need to have access to Teams from my Web Service within refresh token (to post some data on behalf of that user). When I am trying to refresh token for user that appear in that list, I retrieve following error:
AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance..

I have tried to add Location Condition to allow to access Teams only from my server's IP address. I can access Teams from browser installed in server (I could not access from another computer), but this error still reproduced.

How could I resolve that and block access to Teams but still have an ability to refresh tokens and act on behalf of that user within my Web Service?

Herman Stashinskii
  • 405
  • 1
  • 4
  • 10

1 Answers1

0

Generally Multiple conditions can be combined to create fine-grained and specific Conditional Access policies. If you block Teams for a certain users it will include webservice . If you apply location based CA also it will allow from certain locations and block all other locations including client and web. If you block legacy authentication using the Other clients condition, you can also set and blocking web applications but allowing mobile or desktop apps that support Microsoft Teams but blocking users and allowing through web via ca policy is not documented and I tried from end in a various ways but not available.

Thirgiftthub - MSFT Identity
  • 591
  • 3
  • 7