Set up app-based Conditional Access policies with Intune

Set up app-based Conditional Access policies for apps that are part of the list of approved apps. The list of approved apps consists of apps that were tested by Microsoft.


This article walks through the steps to add an app-based Conditional Access policy. You can use the same steps when add apps like SharePoint Online, Microsoft Teams, and Microsoft Exchange Online from the list of approved apps.

Create app-based Conditional Access policies

Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional Access node accessed from Intune is the same node as accessed from Azure AD. This means you don't need to switch between Intune and Azure AD to configure policies.


You need to have an Azure AD Premium license to create Conditional Access policies from the Intune portal.

To create an app-based Conditional Access policy


You need to have Intune app protection policies applied to your apps before using app-based Conditional Access policies.

  1. In the Intune Dashboard, select Conditional Access.

  2. In the Policies pane, choose New policy to create your new app-based Conditional Access policy.

  3. Once you enter a policy name and configure the settings available in the Assignments section, then choose Grant under the Access controls section.

  4. Choose Require approved client app, choose Select, then choose Create to save the new policy.

Next steps

Block apps that don't have modern authentication

See also

Protect app data with app protection policies Conditional Access in Azure Active Directory