This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 53%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Hello,
It is a little bit unclear the scenario of the policy deployment.
In one of the articles, the recommendation is to Block the Legacy protocols:
Now when using the Require App protection policy, it seems we must enable it and then set Exchange Active sync to require app policy:
So what should we do? Is it possible to request a review of the documentation of App Protection Policy + Legacy Authentication + Conditional Access scenarios?
We do not use Intune MAM under the Entra ID settings, only MDM.
Our goal is to migrate the Require App Protection App into the App Protection policy.
Also, in MS documentation didn't find a policy explanation for using only a scenario with MDM...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Oscar
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Oscar, Thanks to let us know your configuration. I am glad we find the conditional access policies you want. Please let me write a summary for your scenario:
Scenario:
How to configure conditional access policy with Require app protection policy and Blocking Legacy Authentication
Conditional Policies settings:
Thanks for your time and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for stay with me in my test flow ;) and have a great all ahead!
@Oscar, Thanks for marking the summary as answer. I am glad we can help. If there's anything else we can help in the future, feel free to post in Q&A to discuss together. Have a nice day!
@Oscar, Thanks for posting in Q&A. Based on my understanding, due to the increased risk associated with legacy authentication protocols, Microsoft recommends that organizations block authentication requests using these protocols and require modern authentication. So the most secure method is to block legacy authentication. But if there's still legacy authentication like Exchange ActiveSync existing in your organization, to secure it, you can configure require app protection policy for the legacy authentication.
In fact, MAM allows you to manage and protect your organization's data within an application. Intune app protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. These policies allow you to control how data is accessed and shared by apps on mobile devices. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app in Intune is a protected app that has Intune app protection policies applied to it and is managed by Intune. Here is a link with more detail for your reference.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
For conditional access policy, this is used to control the access of your cloud resource. If you set "Require app protection policy", then only the managed app with app protection policy can access the cloud resource you set in conditional access policy. Also there's other option you can set like "Require device to be marked as compliant" which allow compliant device to access the cloud resource. You can set it according to your requirement.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Oscar, Hope the above information can help. If there is anything else we can help, feel free to let us know.
I hope you see this on your side as well, here are multiple documents, that explain about similar subject, and when attempting to deploy a solution, it is unclear which path should be selected.
Based on my test I see the following:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/migrate-approved-client-app
This already creates confusion about what to do.
@Oscar, Thanks for the reply. From your description, it seems the app loop to restart that the app to be protected. Based as I know, Intune Company Portal is required on the device to receive App Protection Policies for Android devices. Please check if company portal is installed on the device (If the device is not enrolled into Intune, no need to sign in company portal.)
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android
Meanwhile, to check if the app protection policy is applied to the app, you can open Edge for Android and type about:Intunehelp to confirm on this.
Meanwhile, in your configuration, I notice for office 365, there are two policies match but have different Access Controls. In General, if multiple policies match and they have different Access Controls like Require Compliant Device or Require App protection Policy, the requirements will actually be merged and all the access controls from all matching policies have to be fulfilled.
Actually, we deploy the conditional access policy according to our requirement. For example, for office 365, if we only want outlook on the compliant iOS Android device or the outlook on not enrolled device but with app protection policy applied to access, we can configure as below:
Users: Select the users you want to apply this policy.
Target resource: Office 365.
Conditions: Device Platform: Android, iOS. Client apps: Mobile apps and desktop clients
Grant: select "Require device to be marked as compliant" and "Require app protection policy", also choose "Require one of the selected controls".
Enable policy: On.
Hope the above information can help.
We would like to keep the Require Compliant Device and we make less complex the App Protection Policy.
Then I think the combination would be good as mentioned:
This one will make sure that Data Apps (Exchange, SharePoint) will require the compliant device.
Any non-Office 365 apps will be covered by the App Protection policy.