# Custom Security Attributes for Conditional Access App Exclusions
## Overview
The baseline uses **Custom Security Attributes (CSA)** to dynamically exclude applications from Conditional Access policies. Instead of hardcoding app IDs in each policy, you can simply “tag” an application, and all relevant CA policies will automatically exclude it.
This approach provides:
– **Flexibility**: Exclude apps without modifying CA policies
– **Scalability**: Works with any app, including custom/LOB apps
– **Auditability**: Tags are visible in the Entra portal on each app
—
## Available Tags
| Tag Value | Description | Affected CA Policies |
|———–|————-|———————|
| `IntuneComplianceExcluded` | Excludes app from **all** Intune compliance requirements | Modern, Mobile, Browser compliance policies |
| `ModernIntuneComplianceExcluded` | Excludes from desktop/modern client compliance only | MWU [MODERN] Require Intune Compliant & MFA |
| `MobileIntuneComplianceExcluded` | Excludes from mobile compliance only | MWU [MOBILE] Require Intune Compliant |
| `MobileAppProtectionExcluded` | Excludes from mobile app protection requirements | MWU [MOBILE] Require App Protection |
| `BrowserIntuneComplianceExcluded` | Excludes from browser compliance only | MWU [BROWSER – MODERN] Require Intune Compliance |
| `BrowserStrongAuthExcluded` | Excludes from browser strong auth requirements | MWU [BROWSER – MODERN] Require Strong Authentication |
> **Tip**: Use `IntuneComplianceExcluded` as a catch-all to exclude an app from all compliance policies except MFA.
—
## Common Apps That Need Tagging
These Microsoft apps often need to be excluded from device compliance because they run in contexts where device compliance cannot be evaluated:
| Application | App ID | Recommended Tag |
|————-|——–|—————–|
| **Azure Virtual Desktop** | `9cdead84-a844-4324-93f2-b2e6bb768d07` | `IntuneComplianceExcluded` |
| **Azure VPN** | `41b23e61-6c1e-4545-b367-cd054e0ed4b4` | `IntuneComplianceExcluded` |
| **Azure Windows VM Sign-In** | `372140e0-b3b7-4226-8ef9-d57986796201` | `IntuneComplianceExcluded` |
—
## How to Tag an Application
### Prerequisites
– **Entra ID P1/P2 license** (for Custom Security Attributes)
– **Attribute Assignment Administrator** role (or Global Admin)
– The app must exist as an **Enterprise Application** in your tenant
### Step-by-Step Instructions
#### 1. Navigate to the Enterprise Application
1. Go to [Microsoft Entra admin center](https://entra.microsoft.com)
2. Navigate to **Identity** → **Applications** → **Enterprise applications**
3. Search for the application by name or App ID
4. Click on the application to open it
#### 2. Add the Custom Security Attribute
1. In the application’s menu, click **Properties**
2. Scroll down to **Custom security attributes** section
3. Click **Add assignment**
4. Configure the attribute:
– **Attribute set**: `BaselineCSAAppExclusions`
– **Attribute name**: `CAExclusion`
– **Assigned values**: Select the appropriate tag(s), e.g., `IntuneComplianceExcluded`
5. Click **Save**
#### 3. Verify the Tag
1. The tag should now appear under Custom security attributes
2. Test sign-in to the application to verify CA policies are behaving as expected
—
## Troubleshooting
### “Custom security attributes section not visible”
– Ensure you have **Attribute Assignment Reader** role at minimum to view
– Ensure you have **Attribute Assignment Administrator** role to modify
### “Attribute set not found”
The `BaselineCSAAppExclusions` attribute set must be deployed first. This is done automatically by the baseline pipeline. If missing:
1. Check the pipeline ran with `deployCustomAttributes: true`
2. Verify the service principal has **Attribute Definition Administrator** role
### “CA policy still blocking after tagging”
1. Wait 5-10 minutes for replication
2. Clear browser cache/cookies
3. Use a private/incognito window to test
4. Verify the tag value matches exactly (case-sensitive)
—
## Technical Details
### How It Works
CA policies use an `applicationFilter` with the following syntax:
“`
CustomSecurityAttribute.BaselineCSAAppExclusions_CAExclusion -contains “IntuneComplianceExcluded”
“`
This filter excludes any application that has the `CAExclusion` attribute set to `IntuneComplianceExcluded`.
### Attribute Definition
“`json
{
“attributeSet”: “BaselineCSAAppExclusions”,
“name”: “CAExclusion”,
“type”: “String”,
“isCollection”: true,
“usePreDefinedValuesOnly”: true,
“allowedValues”: [
“IntuneComplianceExcluded”,
“BrowserIntuneComplianceExcluded”,
“BrowserStrongAuthExcluded”,
“MobileAppProtectionExcluded”,
“MobileIntuneComplianceExcluded”,
“ModernIntuneComplianceExcluded”
]
}
“`
—
## Required Permissions for Service Principal
For the baseline pipeline to manage Custom Security Attributes:
| Role | Purpose |
|——|———|
| Attribute Definition Administrator | Create/update attribute sets and definitions |
| Attribute Definition Reader | Read attributes (required for CA policy filters) |
| Attribute Assignment Administrator | Assign attribute values to applications |
—
## Related Documentation
– [Microsoft Docs: Custom security attributes](https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview)
– [Microsoft Docs: Assign custom security attributes to apps](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/custom-security-attributes-apps)
– [Microsoft Docs: Filter for applications in CA policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-filter-for-applications)
