Today I realised I totally forgot to add this setting to my App protection baseline. This setting was released some months ago. You can configure this conditional launch setting within the app protection policy.
You have got 2 options:
Block access: When Intune has confirmed the user has been disabled in Azure Active Directory, the app blocks access to work or school data.
Wipe data: When Intune has confirmed the user has been disabled in Azure Active Directory, the app will perform a selective wipe of the users’ work or school account and data.
In my opinion, it is very important you configure this setting. If you don’t configure this setting and you forgot to retire or wipe the device the user could still access the data in an offline manner until the offline grace period wipe timer has expired.
A few important notes:
1: This does not work, when you chose to immediately delete the user instead of disabling it.
2: There are several things that could impact the time to initiate the wipe, like if you are running azure ad connect/ azure ad access token (120 minutes) and the Intune app check in time (30 minutes)
You can configure this setting in your baseline by configuring the: appactionifunabletoauthenticateuser
Check my website for the powershell scripts
When combining App protection conditional Launch with continuous access evaluation, you will get the best result. CAE will make sure the user will be blocked almost instantly and the app protection policy will make sure the company data is wiped.