Conditional Access not working when you are already logged in to a mobile app an iOS/Android Enterprise

Lennard Maeke 21 Reputation points


I want to implement a CA policy to only allow Intune enrolled, compliant mobile devices to access company resources.

I created the CA policy, applying to the test devices, applying to Office 365 cloud apps, condition is iOS and Android and on all types of client apps.

Access and granted when device is compliant AND approved client apps. Session uses app enforced restrictions.

Now the Problem: If I try to log in with a PW on a non-compliant device, the CA policy correctly denies me access.

If I however have a compliant device that has Outlook and other apps already open, and the device becomes non-compliant, I can still access and use Outlook, Teams etc. It appears CA is not checked every time I open an app.

How can I make it so CA is checked every time I open an app?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
3,673 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,506 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,071 Reputation points Microsoft Employee

    It appears CA is not checked every time I open an app.

    Correct. It is only checked when the PRT is refreshed and not specific to the app itself. This is by design.

    If an app supports it, then this can be mitigated by using Continuous Access Evaluation (CAE):

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful