Applying Conditional Access

Cochran, Joel 106 Reputation points
2021-07-22T20:13:49.987+00:00

I've been struggling a bit with testing Conditional Access and Application Protection policies in our organization. I have been testing on Android and with two different user accounts: one with Azure AD Premium P1 and Intune, and the other without. My questions:

  • If we have an Application Protection policy to prohibit Managed apps from allowing downloading/screenshot/etc., will this be enforced on a user account that doesn't have Intune or Azure AD P1 licenses?
  • I'm really confused on how the application policies are enforced. I signed into Outlook (on Android) with an Microsoft Business Premium licensed user. CA and AP Policies made me install the Company Portal app. I did not sign into the Company Portal app, but it did enforce the policies (wouldn't allow a screenshot)
  • I tried the same thing with an Office 365 F3 user, and it made me add the Company Portal app, but did not prevent me from taking a screenshot.
  • I changed that user's license to MBP, waited about 15 minutes, and it still wouldn't prevent me. I even tried re-adding the Company Portal app, but it's not applying the policy.

I'm confused because it seems like the App Protection policy gets applied sometimes when the Company Portal app is just installed and not signed into.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Jindal [MVP] 9,151 Reputation points MVP
    2021-07-22T22:38:31.62+00:00

    Company portal app acts as a broker on Android devices for APP while it is the authenticator app on iOS. In case of Android you just need Company Portal installed for APP to apply. Sign-in is not required. The user will need an Intune license in order for Intune policies to apply.

    1 person found this answer helpful.
  2. Jarvis Sun-MSFT 10,091 Reputation points Microsoft Vendor
    2021-07-23T08:11:13.177+00:00

    @Cochran, Joel Thanks for posting in our Q&A.
    The Company Portal app is required by Intune mobile application management (MAM) scenarios. On Android devices, the Authenticator app includes functions of the broker and might be used as the broker in some situations, such as when the Authenticator was installed before the Company Portal app.
    https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments