Exclude Partner tenant from Huntress Managed Conditional Access Policies
under review
B
Brian Mock
MSP's manage customer tenants over GDAP and there are some Huntress Managed CA policies that should allow exclusion of our Microsoft Partner tenant. For example, deployment of the "[HUNTRESS] Restrict Azure Portal Management" policy blocks the partner from accessing the Entra Admin center page over GDAP, with error "Your sign-in was successful but you don't have permission to access this resource". This would be solved by excluding the partner tenant ID.
K
Kenny Maurer
On a second thought maybe it would be good to create more granular CA's for every single portal. So that all Entra Admins can access Entra, All Sharepoint admins can access SharePoint etc. Not sure if that is even possible with CA's?
K
Kenny Maurer
The same CA "[HUNTRESS] Restrict Azure Portal Management" should also allow for Security Groups as exclusions - for example Azure Application or Subscription Owners without admin role should be able to access the portal.
Also it would be great if we can specify which admin roles should allow for access to the portals directly in huntress. At the moment the policy only sets global admin as exclusion. For example "User Admin" should be one of the available exclusions.
S
Scott Riley
updated the status to
under review
Hi guys - yes, we love this suggestion! It's a reasonably simple lift to add this ability to the standard exclusions for the CA policy.
M
Matthew Coombe
Great suggestion and we have just encountered the same issue. Typically we would use a network exclusion for our own VPN Static IP as a form of network break glass to allow our tech staff to bypass this type of Conditional Access Block rule but only if they have our company VPN active. The other exclusion we have used in the past is to exclude Service Provider Users under External users or guests in the CA policy. It would be great if either of these exclusion options was available in the Managed Conditional Access Policies from Huntress.