To discover conditional access policies that use the "Require approved client app" control that is being retired, you can use the Azure AD PowerShell module. Here are the steps to do so:
- Install the Azure AD PowerShell module: You can download and install the module from the PowerShell Gallery using the following command:
Install-Module AzureAD
- Connect to your Azure AD tenant: Use the following command to connect to your Azure AD tenant:
Connect-AzureAD
- Retrieve the conditional access policies: Use the following command to retrieve the conditional access policies for your Azure AD tenant:
$policies = Get-AzureADPolicy -Filter "PolicyType eq 'ConditionalAccess'"
```
1. Filter the policies: Use the following command to filter the policies that use the "Require approved client app" control:
$filteredPolicies = $policies | Where-Object { $_.Conditions.Applications.ClientAppIds -contains "1fec8e78-bce4-4aaf-ab1b-5451cc387264" }
```
Note that "1fec8e78-bce4-4aaf-ab1b-5451cc387264" is the client app ID for the Azure Active Directory mobile app, which was the only app that could be approved for use with the "Require approved client app" control.
- Review the filtered policies: You can review the filtered policies using the following command:
$filteredPolicies | Format-List DisplayName, Id
```
This command will display the display name and ID of each policy that uses the "Require approved client app" control.
By following these steps, you can discover the conditional access policies that use the "Require approved client app" control that is being retired, allowing you to update these policies to use alternative controls.