App Protection: Resurgence

App Protection: Resurgence

This blog will be about some misunderstanding when conditional access is requiring app protection and/or approved apps?

Every organization has BYOD users, these users want to have access to the company data from that same device. You want to make sure you are not only managing the devices, you also need to manage the apps.

Some time ago I explained how you could allow managed and unmanaged devices and how to configure the app protection policies.

The Chronicles of MAM – Call4Cloud Setting up IOS App protection policies

In the blog above I showed you, Microsoft Teams does not really like the require app protection policy as it does not have the Intune DSK with Policy Assurance implemented.

Please note.

Microsoft Teams does support App protection policies but it really does not go hand in hand with the conditional access require app protection policy.

These are the apps that support require app protection grant access policy

These are the apps that support require approved client app grant access policy.

Now we know which apps do support and do not support app protection and have seen Microsoft Teams only support the approved app policy, I want to show you the flow of how this app protection access control works.

Instead of requiring app protection we could only require an approved client app as shown in the blog I mentioned earlier?

But what, if there is a way better method so you could require app protection policy and when it does not support app protection, it will require approved apps? It’s very simple.

You need to include both of the access grant controls with an or operator. As shown earlier, Microsoft azure is aware of which app support and does not support each grant access control.

So if an app like Outlook which supports app protection authenticates, the require app protection access grant policy will comply and when an app does not support require app protection policy but is on the approved app client list, the grant access control will be applied.

After we enabled the Conditional rule, we installed the Teams mobile App from the Company App portal. After a minute we received the first notification:

After we pressed installed, within a few second the Teams app was installed and ready for login.

After we selected the proper account, we received another prompt to secure the app.

After I closed teams and opened it again, it worked and app protection was applied.


With a simple β€œOR” you can make sure, Teams will use the Approved Client app grant access policy even when Microsoft is telling us it does not work? Maybe a better word would be: supported?

and you can still require app protection for the other apps that do support it.

Leave a Reply

Your email address will not be published. Required fields are marked *

2  +  2  =