Can I add a non-Microsoft product to "Approved client apps"? (Azure AD > Conditional Access > Require approved client app)

simple123 1

Hi, my company's mobile app supports Microsoft Azure AD SSO.

But some of our clients who use Conditional Access > Require approved client app are experiencing blocking when trying SSO because my app is not listed on Approved client apps.

When I tested some non-Microsoft mobile apps (particularly those supporting Intune), I saw these apps redirect users to Microsoft Edge for an SSO flow and then bring them back to the app via a universal link.

But in the case of Microsoft Teams, which is one of the "Approved client apps," it just opens an in-app web view and have users go through the SSO flow in there.

Is there any way to implement the same SSO flow for my non-Microsoft app so it can pass "Require approved client app" without having to direct users to Microsoft Edge? Or, is the above mentioned apps' approach that goes through Edge is a generally recommended solution?

1 answer

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,426 Reputation points

2022-07-10T03:10:21.957+00:00

Hello @simple123 , in order for your app to pass the require approved client app CA requirement you need to integrate it with the Intune SDK or wrap it with the Intune App Wrapping Tool. For more information take a look to Apps you can manage with app protection policies. The aforementioned approved client app list is only meant to be updated by Microsoft.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.
Please sign in to rate this answer.
simple123 1 Reputation point

2022-07-11T05:07:44.507+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,

Thank you for your answer. I know that I can add the Intune capabilities to my app, and I saw a number of Intune-supporting non-Microsoft apps.

But what I'd like to know is whether I can add my app to the Approved client apps, which apply to Azure AD SSO with the following Conditional Access policy:

As far as I've observed, even Intune-supporting apps have users conduct SSO via Microsoft Edge, not within their own web view, to pass the "Require approved client app" policy. Is this the best approach for non-Microsoft apps to be compliant with that policy?

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,426 Reputation points

2022-07-11T07:06:12.417+00:00

This is by design, since the app is not in the approved app list (MSAL is required to meet control criteria) it redirects you to Edge/Managed browser. You need to implement the Intune SDK inside the app to meet approved app list.

simple123 1 Reputation point

2022-07-11T09:44:17.767+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA I mean even the apps that implement the Intune SDK inside still use Microsoft Edge, and the guide (please see this link) says only the following apps support the "Require approved client app" setting—none of them are non-Microsoft products:

So, I wondered if SSO through Microsoft Edge is a generally recommended approach for non-Microsoft apps that implement the Intune SDK.
Or, is there any example that a non-Microsoft app implements an in-app SSO without having to redirect users to Edge?

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,426 Reputation points

2022-07-11T18:47:57.28+00:00

Hello @simple123 , please take a look to Supported browsers. All but Safari will satisfy required approved client.

simple123 1 Reputation point

2022-07-12T18:00:07.41+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,

The supported browsers you mentioned are about Conditional Access > Conditions > Client apps.
But what I'm challenged with is Conditional Access > Grant > Grant access > Require approved client app.

WHAT I'M ASKING IS:

When you try singing in on Microsoft Teams for Mobile, you'll see the Microsoft login webpage opened within the app:

And once you fill in your credentials, you'll be successfully signed in even with the "Require approved client app" on. This is because Teams is one of the approved clients apps officially listed in this guide.

But if you're developing your own app and this implements the same in-app Microsoft authentication (you can do it using Azure AD SSO),
your users will face the following blocking page if their organization enabled the "Require approved client app" setting:

That's why a lot of Azure AD SSO supporting apps—regardless whether they're using the Intune SDK or not—open Microsoft Edge and have users proceed with SSO therein (not like Teams, which can implement SSO WITHIN the app without having to send users to Edge).
So, I wonder if this approach is officially, or at least generally, recommended for non-Microsoft mobile apps.

simple123 1 Reputation point

2022-07-13T18:21:30.627+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , as this thread has been too deeply nested, I added a new comment below. Could you take a look?

simple123 1 Reputation point

2022-07-18T08:12:27.397+00:00

Hello, @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , thank you for your continued support.

But the documents you referenced are talking about how to manage access to the ALREADY LISTED client apps, and not about how an app provider can add the app to the list.

Besides, I checked that even Intune apps cannot pass the Require approved client app policy WITHIN THE APP. For example, please take a look at the following screenshot of Slack for Intune, which definitely implements the Intune SDK:

This app basically has users proceed with SSO through Microsoft Edge.
But when I forcibly attempted SSO within the app, I encountered the same blocking page as shown below (The app logo is Slack for Intune's) even though it's registered as an official Intune app:

This obviously means implementing the Intune SDK doesn't help non-Microsoft apps to pass the Require approved client app policy.
So, what I'm asking is: Is using Microsoft Edge (as I observed from other Intune apps) the recommended solution for non-Microsoft apps using Azure AD SSO to pass the above mentioned policy?

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,426 Reputation points

2022-07-18T15:48:49.457+00:00

Hello @simple123 , I'm reaching the CA team about this and will come back to you ASAP.
Sign in to comment

Share via

Can I add a non-Microsoft product to "Approved client apps"? (Azure AD > Conditional Access > Require approved client app)

1 answer