Update

MicrosoftGuyJFlo · MicrosoftGuyJFlo · commit 05a8540faf43 · 2020-03-04T12:56:10.000-08:00
diff --git a/articles/active-directory/conditional-access/app-based-conditional-access.md b/articles/active-directory/conditional-access/app-based-conditional-access.md
@@ -6,16 +6,16 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 03/03/2020
+ms.date: 03/04/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
-ms.reviewer: spunukol
+ms.reviewer: spunukol, rosssmi
 
 ms.collection: M365-identity-device-management
 ---
-# How to: Require approved client apps for cloud app access with Conditional Access 
+# How to: Require approved client apps for cloud app access with Conditional Access
 
 People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps.
 
@@ -26,8 +26,6 @@ This article presents two scenarios to configure Conditional Access policies for
 
 In Conditional Access, this functionality is known as requiring an approved client app. For a list of approved client apps, see [approved client app requirement](concept-conditional-access-grant.md#require-approved-client-app).
 
-![Conditional Access require an approved client app setting](./media/app-based-conditional-access/require-approved-client-app.png)
-
 ## Scenario 1: Office 365 apps require an approved client app
 
 In this scenario, Contoso has decided that users using mobile devices can access all Office 365 services as long as they use approved client apps, like Outlook mobile, OneDrive, and Microsoft Teams. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
diff --git a/articles/active-directory/conditional-access/app-protection-based-conditional-access.md b/articles/active-directory/conditional-access/app-protection-based-conditional-access.md
@@ -6,18 +6,16 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 03/03/2020
+ms.date: 03/04/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
-ms.reviewer: spunukol
-
-#Customer intent: As an IT admin, I want to know how to require an app protection policy for the access to certain resources to ensure that they're accessed only from applications that meet my standards for security and compliance.
+ms.reviewer: spunukol, rosssmi
 
 ms.collection: M365-identity-device-management
 ---
-# How to: Require approved client app and app protection policy for cloud app access with Conditional Access
+# How to: Require app protection policy and an approved client app for cloud app access with Conditional Access
 
 People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.
 
@@ -26,31 +24,10 @@ This article presents two scenarios to configure Conditional Access policies for
 - [Scenario 1: Office 365 apps require approved apps with app protection policies](#scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies)
 - [Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-2-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
 
-## Overview
-
-With [Azure AD Conditional Access](overview.md), you can fine-tune how authorized users can access your resources. For example, you can limit the access to your cloud apps to trusted devices.
-
-You can use [Intune app protection policies](https://docs.microsoft.com/intune/app-protection-policy) to help protect your company's data. Intune app protection policies don't require a mobile device management (MDM) solution. You can protect your company's data with or without enrolling devices in a device management solution.
-
-Azure Active Directory Conditional Access restricts access to your cloud apps to client applications that Intune has reported to Azure AD as receiving an app protection policy. For example, you can restrict access to Exchange Online to the Outlook app that has an Intune app protection policy.
-
-In the Conditional Access terminology, these client apps are known to be protected with an *app protection policy*.  
+In the Conditional Access, these client apps are known to be protected with an app protection policy. More information about app protection policies can be found in the article, [App protection policies overview](/intune/apps/app-protection-policy)
 
 For a list of eligible client apps, see [App protection policy requirement](concept-conditional-access-grant.md).
 
-You can combine app-protection-based Conditional Access policies with other policies, such as [device-based Conditional Access policies](require-managed-devices.md). This way, you can provide flexibility in how to protect data for both personal and corporate devices.
-
-
-## Benefits of app protection-based Conditional Access requirement
-
-Similar to compliance that's reported by Intune for iOS and Android for a managed device, Intune now reports to Azure AD if an app protection policy is applied. Conditional Access can use this policy as an access check. This new Conditional Access policy, the app protection policy, increases security. It protects against admin errors, such as:
-
-- Users who don't have an Intune license.
-- Users who can't receive an Intune app protection policy.
-- Intune app protection policy apps that aren't configured to receive a policy.
-
-Intune app protection policies must be in place on the application to access corporate data. Policies might prompt the user to restart the application or use an additional PIN. This is the case if the policies are configured for the application and platform.
-
 ## Scenario 1: Office 365 apps require approved apps with app protection policies
 
 In this scenario, Contoso has decided that all mobile access to Office 365 resources must use approved client apps, like Outlook mobile, OneDrive, and Microsoft Teams protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
@@ -160,3 +137,4 @@ Review the article [How to create and assign app protection policies](/intune/ap
 [Conditional access components](concept-conditional-access-policies.md)
 
 [Common Conditional Access policies](concept-conditional-access-policy-common.md)
+
diff --git a/articles/active-directory/conditional-access/concept-conditional-access-grant.md b/articles/active-directory/conditional-access/concept-conditional-access-grant.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/11/2020
+ms.date: 03/04/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -97,6 +97,8 @@ This setting applies to the following client apps:
    - Only supports the iOS and Android for device platform condition.
 - Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.
 
+See the article, [How to: Require approved client apps for cloud app access with Conditional Access](app-based-conditional-access.md) for configuration examples.
+
 ### Require app protection policy
 
 In your Conditional Access policy, you can require an app protection policy be present on the client app before access is available to the selected cloud apps. 
@@ -116,6 +118,8 @@ This setting applies to the following client apps:
 - The **Require app protection policy** requirements:
     - Only supports the iOS and Android for device platform condition.
 
+See the article, [How to: Require app protection policy and an approved client app for cloud app access with Conditional Access](app-protection-based-conditional-access.md) for configuration examples.
+
 ## Next steps
 
 - [Conditional Access: Session controls](concept-conditional-access-session.md)
