This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 59%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I want to enforce my users to use a 3rd party app as part of their login process.
Currently, it is "available" as an app on users dashboard, but I am unable to enforce users to run it. Is there any way I can force my users to run this app when they login to their Office 365 (or other Azure connected services) This app does not need to be authenticated to, so the MFA (or OAuth integration) requests etc that is part of the normal conditional access policy build does not work. (I don't care if other external user also can access this app)
I have been trying to add it through custom control, but can't get it going. Partner Device management seem to be a long shot as it is not listed as one of the 12 available ones (and they are mostly for Mac, iOS, Android - not Windows)
Intune could be used but NOT for enforcing this app as users/devices are not enrolled in Intune MDM solution.
Could I use a custom claim provider functionality?
Potential flow:
#1. User reach MS gina for Entra ID login (Office 365 or other applications connected to Entra ID)
#2. Once user is authenticated, he is redirected to 3rd party URL where the app can be downloaded. User ID (but no other info) is forwarded to 3rd party.
#3. App needs to be downloaded and run on local device
#4. Once installation is verified by 3rd party, user is granted access to Entra resources.
Alternative (less attractive) flow:
#1. User reach MS gina for Entra ID login (Office 365 or other applications connected to Entra ID)
#2. Once user is authenticated, the device is checked if 3rd party app is present on device.
#3. If not - message which direct user to 3rd party URL where app needs to be downloaded.
#4. If app is present - access is granted
Any ideas on how to achieve this would be most appreciated.
Thanks
My first "from the hip first thought" is assigning an access package in Entra assuming there is an app in Azure representing the 3rd party app.:
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-create
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Magnus,Thanks for posting in Q&A.
From your description, I know that you want to force users to run a third part app when they login to their Office 365.
Based on my research, there are not built-in features in Intune can achieve this, it may need a script to do this.
Thanks for your kind understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.