How do i discover conditional access policies that use the "Require approved client app" control that is being retired?

Jonathan 26 Reputation points
2023-03-30T17:38:22.5733333+00:00

I received a notice that The "“Require approved client app” control in Azure AD Conditional Access will be retired on 31 March 2026"

How can i determine what Conditional Access Polices are using this control? the transition document suggests that i simply check each policy.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,801 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Syed Shiraz Shahid 275 Reputation points
    2023-03-30T19:19:52.1566667+00:00

    To discover conditional access policies that use the "Require approved client app" control that is being retired, you can use the Azure AD PowerShell module. Here are the steps to do so:

    1. Install the Azure AD PowerShell module: You can download and install the module from the PowerShell Gallery using the following command: Install-Module AzureAD
    2. Connect to your Azure AD tenant: Use the following command to connect to your Azure AD tenant:
    
    Connect-AzureAD
    
    1. Retrieve the conditional access policies: Use the following command to retrieve the conditional access policies for your Azure AD tenant:
        
        $policies = Get-AzureADPolicy -Filter "PolicyType eq 'ConditionalAccess'"
        ```
        
        
    1. Filter the policies: Use the following command to filter the policies that use the "Require approved client app" control:
        
    
    $filteredPolicies = $policies | Where-Object { $_.Conditions.Applications.ClientAppIds -contains "1fec8e78-bce4-4aaf-ab1b-5451cc387264" }
    ```
    
    
    Note that "1fec8e78-bce4-4aaf-ab1b-5451cc387264" is the client app ID for the Azure Active Directory mobile app, which was the only app that could be approved for use with the "Require approved client app" control.
    
    1. Review the filtered policies: You can review the filtered policies using the following command:
        
        $filteredPolicies | Format-List DisplayName, Id
        ```
        
        
        This command will display the display name and ID of each policy that uses the "Require approved client app" control.
        
    By following these steps, you can discover the conditional access policies that use the "Require approved client app" control that is being retired, allowing you to update these policies to use alternative controls.
    
    

  2. Vasil Michev 96,836 Reputation points MVP
    2023-03-31T07:13:57.1733333+00:00

    You can use the Graph API. A direct query that covers all such policies looks like this:

    GET https://graph.microsoft.com/beta/identity/conditionalAccess/policies?$filter=grantControls/builtInControls/any(x:x+eq+'compliantApplication')

    If you use the Graph SDK for PowerShell instead, you can just do this:

    Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies?`$filter=grantControls/builtInControls/any(x:x+eq+'compliantApplication')"