In today's edition of “I have no idea what Conditional Access is doing”, somehow the Duo Azure AD Sync enterprise application is matching a policy that only includes the predefined “Office365 app".
@merill @JefTek @nathanmcnulty Is there something I'm missing here that makes 3rd party enterprise apps match the Office365 app in CA policies?
@crh @merill @allthingssec @nathanmcnulty if I had to guess, it is likely requesting a token for ms graph api and is resolving to the o365 app group which has it?
@JefTek @merill @allthingssec @nathanmcnulty Oh interesting, it does show the resource in the CA log as Graph which would be covered by 365.
In this scenario, is excluding the Duo app from the CA policy supposed to work?
@nathanmcnulty @JefTek @merill @allthingssec Enable the Azure AD user sync. That’s the app which is having the issue.
Oddly the trusted endpoints sync uses a service principal. The user sync seems a little odd how they do it.
@crh @nathanmcnulty @merill @allthingssec FYI - This is because the Duo Azure AD Sync app/client is making a call to MS Graph API which brings it in scope of policies targeting the Office365 app group. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/reference-office-365-application-contents
For this kind of automation Duo should be using a service principal vs a user account I would think though.
You cannot scope a CA policy to include/exclude the MS Graph API explicitly, but it is included in the O365 App. You can also use CA App Filtering as Caleb explains in this CA Deep Dive Video. https://www.youtube.com/watch?v=HylR3JLUtMs
@nathanmcnulty Very weird sign in logs after it’s authorized - it always shows the IP of the original authorization even though it’s obviously running in Duo cloud, the user agent is something like “PageGetter” and the platform is just generic “Windows”.
I almost think they’re doing something like token replay to keep the auth alive.
CJ
allthingssec (aka techgrltweeter)
Merill Fernando 
Jef Kazimer😶🌫️
Nathan McNulty