The last couple of weeks I have had the possibility to work with Microsoft Intune and test mobile device access to cloud workloads from a security point of view, especially Exchange Online access.
During these weeks I have tested many different scenarios and all of those will not fit one post, I decided to create separate shorter ones. In this blog post, I’m going through Azure AD Conditional Access App Protection policy which is preview mode in time of writing (published in April).
What’s App Protection Policy?
Docs.microsoft.com
Intune app protection policies don’t require mobile-device management (MDM) solution, which enables you to protect your company’s data with or without enrolling devices in a device management solution.
With app protection policy, you can limit access to client applications that have reported to Azure AD has having received Intune app protection policies. For example, you can restrict access to Exchange Online to the Outlook app that has an Intune app protection policy. A Conditional Access policy that requires app protection policy is also known as app protection-based Conditional Access policy.
Your device must be registered to Azure AD before an application can be marked as policy protected.
When Used?
Imagine a scenario where you don’t want enroll devices to Intune (Mobile Device Management – MDM) but want to restrict access only to devices which have the Mobile Application Management (MAM) policy applied (to protect the application and data inside of it).
There is another condition in the Conditional Access which is a bit similar “Require Approved client app” which can be used for example to restrict access to Exchange Online with the Outlook app. Full list of approved apps and scenarios found from here.
Conditional Access Policy Configuration
Example CA policy configuration from my environment where I restrict access to Exchange Online only with the client which has App protection policy (MAM) configured. Worth to mention that currently only Outlook and Onedrive are supported. Also, MAM related Conditional Access policy can be only applied to Android or iOS client platforms. In the last picture below you can see the error if you try to save the policy without selecting Android or iOS as a platform.
Assignments
- Users and groups: select targeted users
- Cloud apps or actions: Office 365 Exchange Online
Conditions
- Device platforms: Android & iOS
Access Controls
- Grant access – Require app protection policy
User Experience
Pictures below are from iOS, app without policy and with MAM policy applied.
First, the user is trying to configure a mailbox to an Outlook which doesn’t have MAM policy in place (not supported) and for that reason, access is denied. The last picture shows an error when using a native client.
Then, the user configures a mailbox to Outlook where MAM policy has been applied.
References
Require App Protection Policy for cloud app access with Conditional Access
Until next time, stay tuned!
Sam's Corner 
Hi,
I have a customer who has ported to Microsoft and they are using Conditional Access Policy.
I’ve made an UWP application and two mobile (android and iOS) apps which are using an Enterprise Application I created in order to let users login with their Microsoft accounts to browser their calendar and onedrive items.
The customer is saying that because the Conditional Access Policy and my application not being listed as an approved client app, they cannot use it. So, they are requesting me to get the application added as an approved application to be able to use it.
I have tried to find information on what I should do in order to get the problem solved, but I’m a little bit lost and not sure what I should do.
I would appretiate it if you can point me in the right direction in order to sort this issue.
Thank you in advance!
Hi Jose, I just headed to vacation but will get back to you later on next week…
Hi Sami, thank You.
Will wait for your answer!
Enjoy!
Hi Jose,
I suggest that we will continue this conversation via email because it might be a long thread 🙂
If you feel the same, you can contact me at samilamppu@hotmail.com. I will have some additional questions regarding your scenario.
Thanks,
Sami
Hi Sami. I created the same conditional policy it is work , but after disabling policy, user can’t login , gets the error , downoad company portal.
Hi, it’s impossible to say what could cause the problem you are having with without any background information from your environment & other CA policies