Third-party apps and Intune app protection policy

A.Elrayes 186 Reputation points
2023-12-26T11:44:52.9333333+00:00

Hello,

We are about to deploy MAM on Android/IOS. However, we encountered an issue with a third-party app that uses authentication with org accounts which are blocked by the conditional access policy that allow only protected app.

What should we do ?

Thanks,

Alaa Elrayes

Microsoft Security | Intune | Other
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 53,986 Reputation points Microsoft External Staff
    2023-12-27T01:32:15.5066667+00:00

    @A.Elrayes, Thanks for posting in Q&A. "Require approved client app" is used to require that an approved client app is used to access selected cloud apps. For third party app, it does not belong to approved client app. So it is blocked. For your scenario, I think we can only keep "Require app protection policy" under conditional access grant and create an App Protection Policy (APP) that determines which apps on a device are managed and what behaviors are allowed.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-approved-client-app

    For third parry app, to apply app protection policy, we can integrate with the Intune SDK or wrapped by the Intune App Wrapping Tool to be managed.

    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy#apps-you-can-manage-with-app-protection-policies

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Rahul Jindal [MVP] 10,911 Reputation points MVP
    2023-12-27T02:36:34.01+00:00

    Always an issue for Non MS apps that don’t support Intune SDK. Your options are -

    1. Get the apps to support Intune SDK.
    2. Exclude them from CA if they are registered as enterprise apps..
    3. Not use APP as a condition on CA.
    4. Enroll devices in Intune and instead use Device compliance as a condition in CA.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.