Cloud Drive Mapper is listed as an Enterprise Application in your 365 tenant so its fully compliant with any conditional access (CA) policies that in use. If CDM is needed to be excluded from MFA then it can be done so by excluding it from the CA policies that are controlling MFA.
To do this login to Azure admin and navigate to Azure Active Directory / Security / Conditional Access and select the policy that you want to exclude CDM from.
There is currently a limitation with how excluding apps can be achieved. We have spoken to Microsoft about it and they confirmed that its a known issue. It means that the option to include all cloud apps and exclude a single app does not work.
To exclude CDM firstly the include section needs to be set to 'Select apps' and all required apps need to be added individually:
Then the exclude section needs to list the Cloud Drive Mapper app:
This will then exclude CDM from MFA that is controlled by the CA policy.
Update as of 27th March 2024:
We have found that this process doesn't always work and CDM is not being excluded from MFA. The problem isn't directly with Cloud Drive Mapper itself, but with how it uses Microsoft Graph and SharePoint under the hood (these in a Conditional Access policy are known as 'Service Dependencies')
Excluding Cloud Drive Mapper from MFA isn't the answer, Cloud Drive Mapper isn't the reason for the MFA prompts. The real true reason is we are accessing downstream services such as Microsoft Graph and Microsoft SharePoint at early bound level.
Early-bound level being key here, as that is why MFA is triggered, we can't control the enforcement, accessing Graph/Teams/SharePoint Microsoft have set the enforcement level of these to "early bound".
Microsoft Steam/Microsoft Planner show as "late-bound" - they are a bit less restrictive on those apps basically.
Microsoft have an app in Conditional Access named 'Office 365' this application is the entire Microsoft stack under the hood, they won't let you bypass Microsoft SharePoint or Microsoft Graph from our app, it doesn't work like this.
Ultimately if 'Office 365' app is in the INCLUDE list of the MFA policy then it will get MFA prompts, because we are targeting a resource in that stack, also ticking 'All cloud apps' on the include section brings in Office 365 too.
So, excluding Cloud Drive Mapper will do absolutely nothing unfortunately, we are hitting MS stack and that is what needs to be excluded.
We know Cloud Drive Mapper is a desktop app, not a browser, so you can possibly target the 'client app' (being a Desktop app) and do not tick 'browser', this is turn still allows MFA prompts via a browser to portal.office.com and sharepoint.com etc
But other apps such as Teams desktop client/OneDrive would then be excluded as desktop apps.
We can only advise in this area though at this time, we're still doing some tests on this here.
References:
Further information can be obtained from support@iamcloud.com
