Conditional access and approved client apps

This week back in conditional access. More specifically, the recently introduced requirement, in the grant control, to Require approved client apps, which is currently still in preview. That requirement feels a bit like MAM CA, but more about that later in this post. In this post, I’ll provide more information about the Require approved client apps requirements and I’ll show how to configure that requirement. I’ll end this post with the end-user experience.

Introduction

When configuring a conditional access policy, it’s now possible to configure the requirement to grant access only if a connection attempt was made by an approved client app. That’s done by using the Require approved client apps requirement. This requirement could be described as something similar as MAM CA, but with less options and straight from Azure AD. The main difference, from a configuration perspective, is that MAM CA provides more granular control over the client apps that can be used to access a specific cloud app, while this requirement in conditional access is simply on or off. On the other hand, this requirement in conditional access can be used with every cloud app, while MAM CA is only available for Exchange Online and SharePoint Online.

The approved client apps for the Require approved client apps requirement are the following apps (that all support Intune MAM):

  • Microsoft Excel
  • Microsoft OneDrive
  • Microsoft Outlook
  • Microsoft OneNote
  • Microsoft PowerPoint
  • Microsoft SharePoint
  • Microsoft Skype for Business
  • Microsoft Teams
  • Microsoft Visio
  • Microsoft Word

Keep in mind that the Require approved client apps requirement:

  • only supports iOS and Android as selected device platforms condition;
  • does not support Browser as selected client app condition;
  • supersedes the Mobile apps and desktop clients client app condition.

Configuration

Now let’s have a look at the required configuration of a conditional access policy in the Azure portal. To be able to use the Require approved client apps requirement, create a conditional access policy as shown below. The following 7 steps walk through the minimal configuration for, for example, Exchange Online.

1 Open the Azure portal and navigate to Azure Active Directory > Conditional access > Policies;
2 On the Policies blade, click New policy to open the New blade;
3 RACA_01On the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users and click Done;
4 RACA_02On the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps to select Office 365 Exchange Online and click Done;
5

RACA_03On the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Grant access and select at least Require approved client app (preview) and click Select.

Note: This configuration will make sure that only the mentioned approved client apps can access Exchange Online.

End-user experience

As usual with this type of posts, I’ll end this post with the end-user experience. On the left is an example of the iOS 11 default mail app that is trying to connect with Exchange Online. This provides a clear message that the app can’t be used, as it’s not approved. On the right is an example of the iOS default browser that is trying to connect with outlook.office365.com. This provides a less clear message and refers to the Intune Managed browser, which is currently not on the approved apps list. This is very likely the reason why the browser functionality is currently not yet supported, but it’s very good to see that the access is blocked. That removes a big potential backdoor of a great feature!

IMG_0113 IMG_0114

More information

For more information about conditional access and requiring approved client apps, please refer to this article about Azure Active Directory Conditional Access technical reference | Approved client app requirement.

9 thoughts on “Conditional access and approved client apps”

  1. Hi Peter, thanks for the write up, this is good stuff! Any news / plans for the Microsoft Managed Browser (IOS/Android) becoming one of the apps? This would be useful for Intranet / O365 resources to ensure MAM controls on those sites. Thanks John

  2. Hi Peter,

    I hope you’re well! I’m still loving the blog!

    I wanted to ask for your help in understanding whether it is possible to add 3rd party apps to this Approved client app list?

    Eg. we want to only allow access to O365 to the list of apps from Microsoft and additional ones we approve.

  3. Hi Peter,

    Thank for you the prompt reply – that is a great suggestion and I’ll be upvoting it on UserVoice.

    Rich

  4. Hi,
    I have a customer who has ported to Microsoft and they are using Conditional Access Policy.
    I’ve made an UWP application and two mobile (android and iOS) apps which are using an Enterprise Application I created in order to let users login with their Microsoft accounts to browser their calendar and onedrive items.
    The customer is saying that because the Conditional Access Policy and my application not being listed as an approved client app, they cannot use it. So, they are requesting me to get the application added as an approved application to be able to use it.
    I have tried to find information on what I should do in order to get the problem solved, but I’m a little bit lost and not sure what I should do.
    I would appretiate it if you can point me in the right direction in order to sort this issue.

  5. Hi Jose,
    At this moment that’s the Require approved client app setting applies to a fixed list of apps. The eventual idea, to my knowledge, is that the Require app protection policy setting will replace that list and will support apps that include the Intune SDK. Until that time you might want to contact Microsoft, via a support case, to see what the possibilities are to get an app added to the first list.
    Regards, Peter

  6. Hi Peter,

    Thanks for your answer. So at the moment, there is nothing we can do to help our customer using our application with the Conditional Access Policy set? Unless we get added to the approved clients app list, right?

    Best regards, Jose.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.