Mio's ability to translate messages across platforms relies on the access to refresh and generate certain tokens within your organization.
When a CAP is configured that blocks Mio from accessing tokens, admins will receive a warning message from the Mio bot. It looks like this:
In this article, we clarify several CAP configurations that block Mio from being able to access tokens and cause admins to receive this message. If your organization has configured any of these settings, please proceed with the included steps to exclude Mio from your Conditional Access Policy.
Problematic CAP access controls
Multi-Factor Authentication (MFA)
When a MFA policy is configured, Mio cannot refresh tokens.
When a sign-in frequency setting is configured, Mio cannot refresh certain tokens used for Microsoft Teams guest accounts.
Blocking "Grant" or Session" access
When a CAP is configured that blocks "Grant" or "Session" access and has conditions that block Mio, Mio cannot issue or generate tokens.
If your organization has configured any of these CAPs, complete the following steps to exclude Mio.
Note: There may be additional CAP configurations that require Mio to be excluded.
How to exclude Mio from my Conditional Access Policy
Visit Azure Active Directory > Security > Conditional Access.
Under Policies, select your organization's CAP.
Select the link below Cloud apps or actions.
Under Select what this policy applies to, select Cloud apps.
Select Exclude > Select excluded cloud apps > None.
Search for Mio in the search bar and click the check box next to the Mio app. Click Select.
Click Create at the bottom of the page to enable these changes.
After reconfiguring your CAP, visit the User Sync page in the Mio hub to re-prompt users to re-sync their accounts.