App-based Conditional Access

Intune allows you to create app protection policies that enforce app-based Conditional Access to ensure that only apps that support these policies can access Microsoft 365 services. This is particularly useful when dealing with BYOD devices and allows you to further protect your Microsoft 365 environment from requests from apps on non-corporate-owned devices.

Creating an app-based Conditional Access policy

In order to create an app-based Conditional Access policy, we need to take the following steps:

1. First, we need to ensure that we have an Intune app protection policy applied to any apps that we use. To do this, we need to log in to the Intune portal and select Client Apps | App protection policies:
   

   Figure 3.18 – App protection policies

2. Click on Create policy. In this example, we will create a policy for Microsoft Outlook on Apple devices, named and described as follows:

   Name: Microsoft Outlook on iOS and iPadOS

   Description: Policy for settings and access requirements when using the Outlook App on Apple iOS or iPadOS devices

3. Under the Targeted apps selection, we need to ensure that Outlook is selected, as in the following screenshot:
   

   Figure 3.19 – Targeted apps

4. Next, we need to configure the available settings:
   

   Figure 3.20 – Targeted apps settings

5. Review and complete the required settings options for your policy. These are Data Protection, Access Requirements, Conditional Launch, and Scope (Tags).
6. Once you are happy with your selections, click OK and then click Create. Now that we have our app protection policy, we can proceed to create our app-based Conditional Access policy.
7. Go to the Intune dashboard and select Conditional Access | Policies | New Policy. We will name this policy Outlook App Policy in this example.
8. Under Assignments, we can configure the desired settings and apply them to the required users and groups. Mobile Application Management can only be applied to iOS or Android devices, so we must also choose the selected device platforms from the Device platforms section:
   

   Figure 3.21 – Device settings

9. Next, under Access controls and Grant, we need to select Require approved client app:
   

   Figure 3.22 – Require approved client apps

10. Click Select, ensure that Enable policy is set to On, and click Create. We can now see that our new policy is added to our list of existing Conditional Access policies:

Figure 3.23 – Policy enabled

Important note

In order to create Conditional Access policies from the Intune portal, an Azure AD Premium license is required.

Next, we will look at how we can monitor device compliance with Conditional Access.