Evaluation of Conditional Access Policies in Microsoft Entra ID is relatively simple and straightforward. But what many administrators don’t realize are the background dependencies between different services, called service dependencies.
A nice example of this is Microsoft Teams, which uses SharePoint Online and many other services in the background. These dependencies are either early-bound or late-bound.
Early-bound dependencies in Microsoft Entra ID
An early-bound dependency is, for example, the aforementioned SharePoint Online within Teams. Early-bound dependencies must be satisfied to be able to access the service. Therefore, if the policy blocks SharePoint Online, access to Teams will be denied.
Late-bound dependencies in Microsoft Entra ID
Late-bound dependencies, on the other hand, will allow access and only block the component that is blocked in the Conditional Access policy. An example of this in Teams would be Planner. Teams will work, only Planner within Teams will be blocked.
Office 365 service dependencies
Dependencies especially in Office 365 services can be complicated. Moreover, there are new services added regularly to the Office 365 suite and it would be complicated to keep up with all changes and reflect those changes accordingly in conditional access policies.
| Client apps | Downstream service | Enforcement |
|---|---|---|
| Azure Data Lake | Windows Azure Service Management API (portal and API) | Early-bound |
| Microsoft Classroom | Exchange | Early-bound |
| SharePoint | Early-bound | |
| Microsoft Teams | Exchange | Early-bound |
| MS Planner | Late-bound | |
| Microsoft Stream | Late-bound | |
| SharePoint | Early-bound | |
| Skype for Business Online | Early-bound | |
| Microsoft Whiteboard | Late-bound | |
| Office Portal | Exchange | Late-bound |
| SharePoint | Late-bound | |
| Outlook groups | Exchange | Early-bound |
| SharePoint | Early-bound | |
| Power Apps | Windows Azure Service Management API (portal and API) | Early-bound |
| Windows Azure Active Directory | Early-bound | |
| SharePoint | Early-bound | |
| Exchange | Early-bound | |
| Power Automate | Power Apps | Early-bound |
| Project | Dynamics CRM | Early-bound |
| Skype for Business | Exchange | Early-bound |
| Visual Studio | Windows Azure Service Management API (portal and API) | Early-bound |
| Microsoft Forms | Exchange | Early-bound |
| SharePoint | Early-bound | |
| Microsoft To-Do | Exchange | Early-bound |
That is the reason why there is the Office 365 app in conditional access policies. When using the Office 365 app, all services and all dependencies are included and covered automatically. Even those that will be added in the future will be automatically included.
Unless you really need to target only one specific Office 365 service, it is always recommended to select the Office 365 app instead of manually selecting each individual services from the Office 365 suite.
