This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 19%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi,
We want to use 'App protection policies' to limit access to our data, and not having to manage all of our mobile devices.
But App protection policies only applies to known apps, and not browser access (afaik) - correct me if I'm wrong. So this means that on fx an Android devices, a user is restricted in how to access data through MS apps, but has full access through their Chrome browser.
So to mitigate that, I wanted to set up a conditional access rule that would block access for all non-MS apps. But I just can't seem to do it. I think I need 2 rules, one that allows access to MS apps (with MFA etc), and one that blocks access from non-MS apps.
Can anyone point me in the right direction? Is it even possible, or should it be done in another way?
Thanks for sharing your findings here. Could you please "accept your answer as verified"as this would help others in the community who experience a similar problem.
Yes, as you mentioned, when dealing with multi-client apps scenarios, you can always create multiple policy to fulfill your requirements, since these approach are commonly used when requiring and blocking web applications but allowing mobile or desktop apps.
Furthermore, instead of including all cloud app, try using individual Microsoft cloud applications in the app section (such Office 365 which include multiple related child apps or services ) , because when including all cloud app, this policy impacts complete access in browser including the Azure portal.
In case if you had no other option than Including 'All cloud apps' , make sure you have setup emergency access accounts in Azure AD to prevent you from being accidentally locked out of your Azure Active Directory (Azure AD). To learn more, refer How to manage emergency access accounts in Azure AD.
Hope this help.
Required client apps list for conditional access is given here https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app
Microsoft Edge browser is one of the approved app that you can apply the CA policy.
For non-approved apps, if they try to connect to o365 for authentication, CA policy will block it because of the unapproved client app.
There is no way to make the custom app as client approved app for now, it is only the Microsoft apps.
Thanks,
Eswar
www.eskonr.com
Hi,
Are you saying, that if I create a CA rule to enforce MFA for approved MS apps, then other apps (non MS like Chrome) will be blocked? That is not what I see happening. I thought you should have a specific CA rule to say: non-MS apps are blocked. And that is what I can't seem to get working.
Per.
Thanks Eswar for your reply. It didn't realy address my question exactly, but it sent me in the right direction.
My question was how to block for browser access and allow app access (since app behaviour can be managed with an app protection policy).
I have found that the answer is easy, you just have to understand the meanings of the definitions when setting up CA.
2 rules are needed:
Thats all that is needed, quite easy. Now OWA and portal.office.com access is disallowed, but access through the official apps are allowed.
Hope it can help others.
Regards, Per.