Configure Conditional Access policies for application access control

  • 6 minutes

If Microsoft Intune is the rule-maker, Microsoft Entra Conditional Access is the enforcer. You can build the most secure App Protection Policies and Device Compliance rules in the world, but if you don't configure Conditional Access to actively block unmanaged or non-compliant access, users can simply bypass your security by using native, unmanaged applications.

To achieve a true Zero Trust architecture, you must configure Conditional Access policies that act as the gateway to your corporate data. Here's how to configure application access control for both BYOD and corporate scenarios.

The BYOD scenario: enforce App Protection Policies (MAM)

When employees access work emails or files from their personal mobile devices, you want to ensure they're using a secure, containerized application (like Microsoft Outlook) rather than the native, unmanaged iOS Mail or Android Gmail app.

To enforce this control, you must configure a Conditional Access policy that blocks access unless the Intune App Protection Policy is actively applied.

Step-by-step configuration

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to Protection > Conditional Access > Policies and select New policy.

  3. Name: Give the policy a descriptive name, such as CA - BYOD - Require App Protection.

  4. Users: Target your specific user group (or All users, ensuring you exclude your emergency access/break-glass accounts).

  5. Target resources: Select Cloud apps, then choose Office 365 (which covers Exchange, SharePoint, Teams, and so on).

  6. Conditions:

    • Device platforms: Include iOS and Android.
    • Client apps: Select Mobile apps and desktop clients. (Leave browser unselected if you're handling web access in a separate policy.)

  7. Grant (the enforcement):

    • Select Grant access.
    • Check Require app protection policy.

    Note

    This control is the modern, preferred setting. The older "Require approved client app" setting was retired and is no longer available or enforced. If your tenant has legacy Conditional Access policies that used "Require approved client app," you must migrate them to use "Require app protection policy" to maintain MAM enforcement.

  8. Enable policy: Set to Report-only for initial testing, then switch to On when ready.

The user experience: If a user tries to add their corporate email to the native Apple Mail app, Microsoft Entra ID blocks the authentication and displays a message instructing them to download the Microsoft Outlook app from the App Store.

The corporate scenario: enforce device compliance (MDM)

For corporate-owned devices (Windows, macOS, or fully managed mobile devices), relying solely on App Protection is usually not enough. You want to ensure the entire device is healthy, encrypted, and up-to-date before it can connect to your environment.

To enforce this requirement, you link Intune's Compliance evaluation directly to Entra ID Conditional Access.

Step-by-step configuration

  1. Create a New policy in the Conditional Access portal.
  2. Name: CA - Corporate - Require Compliant Device.
  3. Users: Target your standard workforce groups.
  4. Target resources: Select All cloud apps (or specific high-risk apps like Salesforce or Office 365).
  5. Conditions:
    • Device platforms: Include Windows and macOS.
    • Filter for devices (optional but recommended): You can use this filter to explicitly target corporate devices by setting a rule like device.deviceOwnership -eq "Company".
  6. Grant (the enforcement):
    • Select Grant access.
    • Check Require device to be marked as compliant.
  7. Enable policy: Set to Report-only or On.

The user experience: If a user's Windows laptop falls out of compliance (for example, they turned off the Windows Firewall or haven't checked in with Intune in 30 days), their next attempt to open Microsoft Teams or SharePoint is blocked. They're directed to the Company Portal app to view the reason for their noncompliance and fix it.

Advanced strategy: the OR vs. AND operator

In environments that support a mix of BYOD and corporate devices, you can combine these requirements into a single, elegant Conditional Access policy using the Multiple controls setting under the Grant menu.

  • Require one of the selected controls (OR):
    • If you select both "Require app protection policy" and "Require device to be marked as compliant," and set the operator to Require one, you support both scenarios simultaneously. A user on a personal iPhone is granted access because their Outlook app has the protection policy (satisfying condition A). A user on a corporate Windows laptop is granted access because their device is compliant (satisfying condition B).
  • Require all the selected controls (AND):
    • This combination is the strictest posture. The user must be on a fully managed, compliant device and be using a managed application.

Safety first: report-only mode

Deploying Conditional Access policies can be dangerous; a misconfigured policy can accidentally lock the entire IT department out of the tenant.

Always deploy new policies in Report-only mode first. This mode allows the policy to evaluate user sign-ins in the background without actually blocking anyone. You can then review the Sign-in logs in Entra ID to see exactly who would have been blocked, allowing you to fix edge cases before flipping the switch to On.