Set up app-based Conditional Access policies with Intune

Set up app-based Conditional Access policies for apps that are part of the list of approved apps. The list of approved apps consists of apps that were tested by Microsoft.

Before you can use app-based Conditional Access policies, you need to have Intune app protection policies applied to your apps.


This article walks through the steps to add a simple app-based Conditional Access policy. You can use the same steps for other cloud apps. For more information, see Plan Conditional Access deployment

Create app-based Conditional Access policies

Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional Access node you access from Intune is the same node that you access from Azure AD. Because it's the same node, you don't need to switch between Intune and Azure AD to configure policies.

Before you can create Conditional Access policies from the Microsoft Endpoint Manager admin center, you must have an Azure AD Premium license.

To create an app-based Conditional Access policy

  1. Sign in to the Microsoft Endpoint Manager admin center

  2. Select Endpoint security > Conditional access > New policy.

  3. Enter a policy Name, and then under Assignments, select Users and groups. Use the Include or Exclude options to add your groups for the policy, and select Done.

  4. Select Cloud apps or actions, and choose which apps to protect. For example, choose Select apps, and select Office 365 (preview).

    Select Done to save your changes.

  5. Select Conditions > Client apps to apply the policy to apps and browsers. For example, select Yes, and then enable Browser and Mobile apps and desktop clients.

    Select Done to save your changes.

  6. Under Access controls, select Grant to apply Conditional Access based on device compliance. For example, select Grant access > Require approved client app and Require app protection policy (preview) then select Require one of the selected controls

    Choose Select to save your changes.

  7. For Enable policy, select On, and then select Create to save your changes.

Next steps

Block apps that don't have modern authentication

See also

Protect app data with app protection policies Conditional Access in Azure Active Directory