|Applies to: Intune|
|This topic applies to both Intune in the classic portal and Intune in the Azure portal preview.|
This topic provides guidance on how to set up app-based conditional access policy for SharePoint Online. App-based CA helps admins to only allow mobile apps that have Intune app protection policies applied to.
To create the app-based CA policy for SharePoint Online
Go the Azure portal and sign in with your credentials.
If you're new to the Azure portal experience read the Azure portal for app protection policies topic.
Choose More services from the left menu, then type Intune in the text box filter.
Choose Intune App Protection > Intune mobile application management > All Settings.
On the Intune mobile application management blade, choose the SharePoint Online tile.
On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.
When you select the option to only allow apps that are supported by Intune app protection policies, a list containing only the supported apps is displayed.
To assign app-based CA policies to your users
Open the Restricted user groups blade, then choose Add user group.
Select one or more user groups that should get this policy.
You may want some users in the user group you selected in the previous step not to be affected by this policy. In such cases, add the group of users to the exempted user groups list.
On the SharePoint Online blade, choose Exempted user groups, then choose Add user group to open the list of user groups.
Select the groups you want to exempt from this policy.
To modify or delete user groups from an existing app-based CA policy
- Open the Restricted user groups blade, then highlight the user group you want to delete.
- Click on the ellipse to see the delete options.
- Choose Delete to remove the user group from the list.
You can follow the steps procedure to remove a user group from the Exempted user group list.