Set up app-based Conditional Access policies with Intune
Set up app-based Conditional Access policies for apps that are part of the list of approved apps. The list of approved apps consists of apps that were tested by Microsoft.
Before you can use app-based Conditional Access policies, you need to have Intune app protection policies applied to your apps.
This article walks through the steps to add a simple app-based Conditional Access policy. You can use the same steps for other cloud apps. For more information, see Plan Conditional Access deployment
Create app-based Conditional Access policies
Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional Access node you access from Intune is the same node that you access from Azure AD. Because it's the same node, you don't need to switch between Intune and Azure AD to configure policies.
Before you can create Conditional Access policies from the Microsoft Intune admin center, you must have an Azure AD Premium license.
To create an app-based Conditional Access policy
Sign in to the Microsoft Intune admin center
Select Endpoint security > Conditional access > New policy.
Enter a policy Name, and then under Assignments, select Users or workload identities, and apply the policy to Users and groups. Use the Include or Exclude options to add your groups for the policy.
Select Cloud apps or actions, and apply the policy to Cloud apps. Use the Include or Exclude options to select the apps to protect. For example, choose Select apps, and select Office 365 (preview).
Select Conditions > Client apps to apply the policy to apps and browsers. For example, select Yes, and then select the checkboxes for enable Browser and Mobile apps and desktop clients.
Under Access controls, select Grant to apply Conditional Access based on a device compliance status. For example, select Grant access > Require approved client app and Require app protection policy, then select Require one of the selected controls.
For Enable policy, select On, and then select Create to save your changes. By default, Enable policy is set to Report-only.
Submit and view feedback for