How to combine conditional access with app protection policy?

• 13 January, 2021
• No Comments

In the previous post we created app protection policy. Now it’s time to combine conditional access. We need conditional access to ensure that a device which is not configured with application protection policy will not have access to our tenant resources.

Why Conditional access policy?

Conditional access policy is an amazing feature of Azure Active Directory. It can ease our lives. And make it more secure. I am huge fan of it.

For example, we can cut off all devices that do not meet certain criteria. If we know that none of our employees will work from Japan or another region, we can cut off access by IP address. Another example would be to prevent access for devices that don’t have a specific version of Windows.

If you want to learn more, please read official document from Microsoft. Believe me it’s worth to learn it.

Combine conditional access with app protection policy

First, we need to verify that the devices we want to grant access to are properly configured with application protection policy. Otherwise, users will lost access to company resources. You should go to Intune and verify that your policy has been applied. If you ready go to Azure Active Directory, then Security tab. Then pick conditional access. Press New Policy. You will see screen like below:

This is common screen when we create new entry. You will start always in this place.

1. Enter name.
2. Under assignments select to who those setting will be applied. If I may suggest something here:
   • Start with small group. I have my test user group who will be under those settings as first wave
   • Use exclude. Microsoft recommends having at least one account which is excluded from any policy, not used in general. Remember that if you do something wrong you will get lock!
3. On cloud apps or actions select: Office 365
4. For conditions tab select device platform which you want to use.
5. On the Grant tab pick as condition “Require app protection policy”
6. Finally enable your policy.

Usually, it’s a good practice to use “Report-only” mode, just for tests purposes, but in case of non-Windows devices you have to remember about one thing.

Policies in report-only mode that require compliant devices may prompt users on Mac, iOS, and Android to select a device certificate during policy evaluation, even though device compliance is not enforced. These prompts may repeat until the device is made compliant. To prevent end users from receiving prompts during sign-in, exclude device platforms Mac, iOS and Android from report-only policies that perform device compliance checks. Note that report-only mode is not applicable for Conditional Access policies with “User Actions” scope.

What’s next?

As you saw you can combine conditional access with your app protection policy quite easy. It’s not rocket science. But you should check other scenarios. It’s a powerful feature and easy to use. Those settings can make stronger your environment and remove some security holes. Also, in some cases they can limit unnecessary actions on administrator side.