Hi Neelesh,
Thanks for your interest, the ticket is [REG:118110826001741] Conditional MFA for Azure Management also applied to powerapps.
Response received yesterday is that this is a known issue. The blame is placed on the way the consumer SAAS platform (powerapps) was coded, but this is an overly simplistic redirection of responsibility.
Powerapps is calling graphapi, and somewhere within that it seems there is a call to graph.microsoftazure.us. Why this call is made is not visible to me, but let's assume that it is required. The use of the graph api is normal and expected for
a consumer app; Consider please that this rule is catching all users including those who do not have any RBAC privilege to Azure or Azure AD, so whatever the nature of the API calls, they can't be considered as Azure Management.
My takeaway is that the conditional access app-based conditions need to be rethunk - one of the following:
a) to find a way to greenlight "internal" calls
b) to define an appropriate "App" that can be used in an exception rule to allow explicit greenlight for whatever is being caught here by mistake.
c) redefine "Microsoft Azure Management" app to exclude all consumer authentication/consent scenarios
d) create some other new conditional access condition that can legitimately match on Azure Management similar to the way we have now for AAD roles, e.g. according to Azure RBAC roles held (or a simple do you have _any_ RBAC assignment).
The workaround that I can think of for now is to define and use an Azure AD group in the conditional access policy, and use a script to periodically resync group membership against all people with active Azure RBAC roles. This doesn't directly solve
the problem but it limits unnecessary MFA on powerapps to just the Azure administrators who will be enrolled and familiar with it for Azure admin purposes.
Regards
Ben
