Conditional Access not working when you are already logged in to a mobile app an iOS/Android Enterprise

Lennard Maeke 21 Reputation points
2022-10-24T21:09:06.097+00:00

Hello,

I want to implement a CA policy to only allow Intune enrolled, compliant mobile devices to access company resources.

I created the CA policy, applying to the test devices, applying to Office 365 cloud apps, condition is iOS and Android and on all types of client apps.

Access and granted when device is compliant AND approved client apps. Session uses app enforced restrictions.

Now the Problem: If I try to log in with a PW on a non-compliant device, the CA policy correctly denies me access.

If I however have a compliant device that has Outlook and other apps already open, and the device becomes non-compliant, I can still access and use Outlook, Teams etc. It appears CA is not checked every time I open an app.

How can I make it so CA is checked every time I open an app?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,936 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,279 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,286 Reputation points Microsoft Employee
    2022-10-24T21:19:58.583+00:00

    It appears CA is not checked every time I open an app.

    Correct. It is only checked when the PRT is refreshed and not specific to the app itself. This is by design.

    If an app supports it, then this can be mitigated by using Continuous Access Evaluation (CAE): https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation-workload.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.