Today, I realized I totally forgot to add this setting to my App protection baseline. Let’s talk a little bit more about this wonderful new setting, “Conditional Launch,” which was released some months ago.
It’s straightforward to configure; open your App protection policy and configure the conditional launch setting within your app protection policy.
1. Conditional Launch
When looking at the actions available, you have got two options when we configure the Disabled Account option:
Block access: When Intune has confirmed the user has been disabled in Azure Active Directory, the app blocks access to work or school data.
Wipe data: When Intune confirms that the user has been disabled in Azure Active Directory, the app will selectively wipe the user’s work or school account and data.
In my opinion, it is very important that you configure this setting. If you don’t configure this setting and you forget to retire or wipe the device, the user can still access the data offline until the offline grace period wipe timer has expired.
How could we Block/Disable the user instead of deleting the user? You could disable the user by configuring “Block Sign-in” in the user properties at the Microsoft Admin Center
https://admin.microsoft.com/Adminportal/Home#/users/
2. A few important notes:
1: This does not work when you delete the user immediately instead of disabling it. When you delete the user, the user still has access to the data in an offline manner until the Offline Grace Period wipe timer has expired.
2: Several things could impact the time to initiate the wipe, like if you are running Azure ad connect/Azure ad access token (120 minutes) and the Intune app check-in time (30 minutes)
3. When the user has been blocked access, the user will not be able to access the org data. But please beware that any new data can still be delivered in the background because the access tokens will not expire. Luckily, the user wouldn’t have access to it.
3. PowerShell Automation
Of course, you can change this setting manually but why not automate it for new deployments?
You could also make sure you configure this setting in your App Protection baseline by configuring the: “appactionifunabletoauthenticateuser” like I am showing below
Check my website for the PowerShell scripts
The Chronicles of MAM – Call4Cloud Setting up IOS App protection policies
Conclusion:
You will get the best result when combining app protection conditional launch with continuous access evaluation. CAE will ensure that the user is blocked almost instantly, and the app protection policy will ensure that the company data is wiped.
Hi Rudy,
Thanks for the explanation. When you adjust ‘appActionIfUnableToAuthenticateUser’ to wipe, block (or warn!) you will see this in the GUI as ‘Disabled account = …’.
This implies that the action is solely for a disabled account, while the Microsoft documentation says: ‘If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. Inherited from managedAppProtection. Possible values are: block, wipe, warn.’ (Source: https://docs.microsoft.com/it-it/graph/api/intune-mam-defaultmanagedappprotection-create?view=graph-rest-beta).
They specify disabled ánd deleted. Did you already test if the wipe will also arrive when a user is deleted?
Hi, that part I didnt test if I am not mistaken.
“Important: The Disabled account setting does not detect account deletions. If an account is deleted, the user continues to access data in an offline manner until the Offline Grace Period wipe timer has expired.”
https://techcommunity.microsoft.com/t5/intune-customer-success/app-protection-policy-conditional-launch-improvements/ba-p/2209022?utm_source=dlvr.it&utm_medium=twitter
How do you disable a user in AzureAD?
Hi, good question… added it the blog
This feature doesn’t work at all. There is no indication when this will occur and you cannot set a time on this.
I’ve tested turning on this to “wipe.” Literally nothing happens until maybe 1 hour.
Offline grace period doesn’t refer to the user being disabled or deleted. It only refers to internet access. So if the device never loses internet access, the offline grace period doesn’t apply.
When I was writing this blog, that feature was working… so if its not working for you… something must be wrong or Microsoft changes somethings