The last couple of weeks I have had the possibility to work with Microsoft Intune and test mobile device access to cloud workloads from a security point of view, especially Exchange Online access.

During these weeks I have tested many different scenarios and all of those will not fit one post, I decided to create separate shorter ones. In this blog post, I’m going through Azure AD Conditional Access App Protection policy which is preview mode in time of writing (published in April).

What’s App Protection Policy?

Intune app protection policies don’t require mobile-device management (MDM) solution, which enables you to protect your company’s data with or without enrolling devices in a device management solution.

With app protection policy, you can limit access to client applications that have reported to Azure AD has having received Intune app protection policies. For example, you can restrict access to Exchange Online to the Outlook app that has an Intune app protection policy. A Conditional Access policy that requires app protection policy is also known as app protection-based Conditional Access policy.

Your device must be registered to Azure AD before an application can be marked as policy protected.

When Used?

Imagine a scenario where you don’t want enroll devices to Intune (Mobile Device Management – MDM) but want to restrict access only to devices which have the Mobile Application Management (MAM) policy applied (to protect the application and data inside of it).

There is another condition in the Conditional Access which is a bit similar “Require Approved client app” which can be used for example to restrict access to Exchange Online with the Outlook app. Full list of approved apps and scenarios found from here.

Conditional Access Policy Configuration

Example CA policy configuration from my environment where I restrict access to Exchange Online only with the client which has App protection policy (MAM) configured. Worth to mention that currently only Outlook and Onedrive are supported. Also, MAM related Conditional Access policy can be only applied to Android or iOS client platforms. In the last picture below you can see the error if you try to save the policy without selecting Android or iOS as a platform.


  • Users and groups: select targeted users
  • Cloud apps or actions: Office 365 Exchange Online


  • Device platforms: Android & iOS

Access Controls

  • Grant access – Require app protection policy

User Experience

Pictures below are from iOS, app without policy and with MAM policy applied.

First, the user is trying to configure a mailbox to an Outlook which doesn’t have MAM policy in place (not supported) and for that reason, access is denied. The last picture shows an error when using a native client.

Then, the user configures a mailbox to Outlook where MAM policy has been applied.


What’s Intune App Management?

Require App Protection Policy for cloud app access with Conditional Access

Until next time, stay tuned!