Evaluation of Conditional Access Policies in Microsoft Entra ID is relatively simple and straightforward. But what many administrators don’t realize are the background dependencies between different services, called service dependencies.

A nice example of this is Microsoft Teams, which uses SharePoint Online and many other services in the background. These dependencies are either early-bound or late-bound.

Early-bound dependencies in Microsoft Entra ID

An early-bound dependency is, for example, the aforementioned SharePoint Online within Teams. Early-bound dependencies must be satisfied to be able to access the service. Therefore, if the policy blocks SharePoint Online, access to Teams will be denied.

Late-bound dependencies in Microsoft Entra ID

Late-bound dependencies, on the other hand, will allow access and only block the component that is blocked in the Conditional Access policy. An example of this in Teams would be Planner. Teams will work, only Planner within Teams will be blocked.

Office 365 service dependencies

Dependencies especially in Office 365 services can be complicated. Moreover, there are new services added regularly to the Office 365 suite and it would be complicated to keep up with all changes and reflect those changes accordingly in conditional access policies.

Client appsDownstream serviceEnforcement
Azure Data LakeWindows Azure Service Management API (portal and API)Early-bound
Microsoft ClassroomExchangeEarly-bound
Microsoft TeamsExchangeEarly-bound
MS PlannerLate-bound
Microsoft StreamLate-bound
Skype for Business OnlineEarly-bound
Microsoft WhiteboardLate-bound
Office PortalExchangeLate-bound
Outlook groupsExchangeEarly-bound
Power AppsWindows Azure Service Management API (portal and API)Early-bound
Windows Azure Active DirectoryEarly-bound
Power AutomatePower AppsEarly-bound
ProjectDynamics CRMEarly-bound
Skype for BusinessExchangeEarly-bound
Visual StudioWindows Azure Service Management API (portal and API)Early-bound
Microsoft FormsExchangeEarly-bound
Microsoft To-DoExchangeEarly-bound
Office 365 service dependencies as of February 2, 2024. Source: https://learn.microsoft.com/en-us/entra/identity/conditional-access/service-dependencies

That is the reason why there is the Office 365 app in conditional access policies. When using the Office 365 app, all services and all dependencies are included and covered automatically. Even those that will be added in the future will be automatically included.

Unless you really need to target only one specific Office 365 service, it is always recommended to select the Office 365 app instead of manually selecting each individual services from the Office 365 suite.