How to: Require app protection policy and an approved client app for cloud app access with Conditional Access

People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.

This article presents three scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.

In the Conditional Access, these client apps are known to be protected with an app protection policy. More information about app protection policies can be found in the article, App protection policies overview

Warning

Not all applications are supported as approved applications or support application protection policies. For a list of eligible client apps, see App protection policy requirement.

Note

"Require one of the selected controls" under grant controls is like an OR clause. This is used within policy to enable users to utilize apps that support either the Require app protection policy or Require approved client app grant controls. Require app protection policy is enforced if an app is supported in both policies. For more information on which apps support the Require app protection policy grant control, see App protection policy requirement.

Scenario 1: Office 365 apps require approved apps with app protection policies

In this scenario, Contoso has decided that all mobile access to Office 365 resources must use approved client apps, like Outlook mobile and OneDrive, protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.

Step 1: Configure an Azure AD Conditional Access policy for Office 365

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups
    1. Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. Select Done.
  6. Under Cloud apps or actions > Include, select Office 365 (preview).
  7. Under Conditions, select Device platforms.
    1. Set Configure to Yes.
    2. Include Android and iOS.
  8. Under Conditions, select Client apps (preview).
    1. Set Configure to Yes.
    2. Select Mobile apps and desktop clients and Modern authentication clients.
  9. Under Access controls > Grant, select the following options:
    • Require approved client app
    • Require app protection policy (preview)
    • Require all the selected controls
  10. Confirm your settings and set Enable policy to On.
  11. Select Create to create and enable your policy.

Step 2: Configure an Azure AD Conditional Access policy for Exchange Online with ActiveSync (EAS)

For the Conditional Access policy in this step, configure the following components:

  1. Browse to Azure Active Directory > Security > Conditional Access.
  2. Select New policy.
  3. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  4. Under Assignments, select Users and groups
    1. Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. Select Done.
  5. Under Cloud apps or actions > Include, select Office 365 Exchange Online.
  6. Under Conditions:
    1. Client apps (preview):
      1. Set Configure to Yes.
      2. Select Mobile apps and desktop clients and Exchange ActiveSync clients.
  7. Under Access controls > Grant, select Grant access, Require app protection policy, and select Select.
  8. Confirm your settings and set Enable policy to On.
  9. Select Create to create and enable your policy.

Step 3: Configure Intune app protection policy for iOS and Android client applications

Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

Scenario 2: Browser apps require approved apps with app protection policies

In this scenario, Contoso has decided that all mobile web browsing access to Office 365 resources must use an approved client app, like Edge for iOS and Android, protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.

Step 1: Configure an Azure AD Conditional Access policy for Office 365

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups
    1. Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. Select Done.
  6. Under Cloud apps or actions > Include, select Office 365 (preview).
  7. Under Conditions, select Device platforms.
    1. Set Configure to Yes.
    2. Include Android and iOS.
  8. Under Conditions, select Client apps (preview).
    1. Set Configure to Yes.
    2. Select Browser.
  9. Under Access controls > Grant, select the following options:
    • Require approved client app
    • Require app protection policy (preview)
    • Require all the selected controls
  10. Confirm your settings and set Enable policy to On.
  11. Select Create to create and enable your policy.

Step 2: Configure Intune app protection policy for iOS and Android client applications

Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy

In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.

Organizations must complete the following three steps in order to require the use of an approved client app on mobile devices and Exchange ActiveSync clients.

Step 1: Policy for Android and iOS based modern authentication clients requiring the use of an approved client app and app protection policy when accessing Exchange Online and SharePoint Online.

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups
    1. Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. Select Done.
  6. Under Cloud apps or actions > Include, select Office 365 Exchange Online and Office 365 SharePoint Online.
  7. Under Conditions, select Device platforms.
    1. Set Configure to Yes.
    2. Include Android and iOS.
  8. Under Conditions, select Client apps (preview).
    1. Set Configure to Yes.
    2. Select Mobile apps and desktop clients and Modern authentication clients.
  9. Under Access controls > Grant, select the following options:
    • Require approved client app
    • Require app protection policy (preview)
    • Require one of the selected controls
  10. Confirm your settings and set Enable policy to On.
  11. Select Create to create and enable your policy.

Step 2: Policy for Exchange ActiveSync clients requiring the use of an approved client app.

  1. Browse to Azure Active Directory > Security > Conditional Access.
  2. Select New policy.
  3. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  4. Under Assignments, select Users and groups
    1. Under Include, select All users or the specific Users and groups you wish to apply this policy to.
    2. Select Done.
  5. Under Cloud apps or actions > Include, select Office 365 Exchange Online.
  6. Under Conditions:
    1. Client apps (preview):
      1. Set Configure to Yes.
      2. Select Mobile apps and desktop clients and Exchange ActiveSync clients.
  7. Under Access controls > Grant, select Grant access, Require app protection policy, and select Select.
  8. Confirm your settings and set Enable policy to On.
  9. Select Create to create and enable your policy.

Step 3: Configure Intune app protection policy for iOS and Android client applications.

Review the article How to create and assign app protection policies, for steps to create app protection policies for Android and iOS.

Next steps

What is Conditional Access?

Conditional access components

Common Conditional Access policies