App protection and a Disabled Account

App protection and a Disabled Account

Today I realised I totally forgot to add this setting to my App protection baseline. Let’s talk a little bit more about this wonderful new setting “Conditional Launch” that was released some months ago.

it’s very easy to configure, just open your App protection policy and configure the conditional launch setting within your app protection policy.

1. Conditional Launch

When looking at the actions available, you have got 2 options:

Block access: When Intune has confirmed the user has been disabled in Azure Active Directory, the app blocks access to work or school data.

Wipe data: When Intune has confirmed the user has been disabled in Azure Active Directory, the app will perform a selective wipe of the user his work or school account and data.

In my opinion, it is very important you configure this setting. If you don’t configure this setting and you forgot to retire or wipe the device the user could still access the data in an offline manner until the offline grace period wipe timer has expired.

2. A few important notes:

1: This does not work, when you chose to immediately delete the user instead of disabling it.  When you delete the user, the user has still access to the data in an offline manner until the Offline Grace Period wipe timer has expired.

2: There are several things that could impact the time to initiate the wipe, like  if you are running azure ad connect/ azure ad access token (120 minutes) and the Intune app check-in time (30 minutes)

3. When the user has been blocked access, the user will not be able to access the org data. But please beware that any new data can still be delivered in the background because the access tokens will not expire, but luckily the user wouldn’t have access to it.

3. PowerShell Automation

Of course, you can change this setting manually but why not automate it for new deployments?

You could also make sure you configure this setting in your App Protection baseline by configuring the: “appactionifunabletoauthenticateuser” like I am showing below

Check my website for the PowerShell scripts

The Chronicles of MAM – Call4Cloud Setting up IOS App protection policies

Conclusion:

When combining App protection conditional Launch with continuous access evaluation, you will get the best result. CAE will make sure the user will be blocked almost instantly and the app protection policy will make sure the company data is wiped.

2 thoughts on “App protection and a Disabled Account

  1. Hi Rudy,

    Thanks for the explanation. When you adjust ‘appActionIfUnableToAuthenticateUser’ to wipe, block (or warn!) you will see this in the GUI as ‘Disabled account = …’.

    This implies that the action is solely for a disabled account, while the Microsoft documentation says: ‘If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. Inherited from managedAppProtection. Possible values are: block, wipe, warn.’ (Source: https://docs.microsoft.com/it-it/graph/api/intune-mam-defaultmanagedappprotection-create?view=graph-rest-beta).

    They specify disabled ánd deleted. Did you already test if the wipe will also arrive when a user is deleted?

    1. Hi, that part I didnt test if I am not mistaken.

      “Important: The Disabled account setting does not detect account deletions. If an account is deleted, the user continues to access data in an offline manner until the Offline Grace Period wipe timer has expired.”

      https://techcommunity.microsoft.com/t5/intune-customer-success/app-protection-policy-conditional-launch-improvements/ba-p/2209022?utm_source=dlvr.it&utm_medium=twitter

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  43  =  53