You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-grant.md
+7-1Lines changed: 7 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: conceptual
9
-
ms.date: 03/04/2020
9
+
ms.date: 03/25/2020
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -64,6 +64,8 @@ Organizations can choose to use the device identity as part of their Conditional
64
64
65
65
Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
66
66
67
+
In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
68
+
67
69
This setting applies to the following iOS and Android apps:
68
70
69
71
- Microsoft Azure Information Protection
@@ -101,6 +103,7 @@ This setting applies to the following iOS and Android apps:
101
103
- The approved client apps support the Intune mobile application management feature.
102
104
- The **Require approved client app** requirement:
103
105
- Only supports the iOS and Android for device platform condition.
106
+
- A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.
104
107
- Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.
105
108
106
109
See the article, [How to: Require approved client apps for cloud app access with Conditional Access](app-based-conditional-access.md) for configuration examples.
@@ -109,6 +112,8 @@ See the article, [How to: Require approved client apps for cloud app access with
109
112
110
113
In your Conditional Access policy, you can require an [Intune app protection policy](/intune/app-protection-policy) be present on the client app before access is available to the selected cloud apps.
111
114
115
+
In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
116
+
112
117
This setting applies to the following client apps:
113
118
114
119
- Microsoft Cortana
@@ -121,6 +126,7 @@ This setting applies to the following client apps:
121
126
- Apps for app protection policy support the Intune mobile application management feature with policy protection.
122
127
- The **Require app protection policy** requirements:
123
128
- Only supports the iOS and Android for device platform condition.
129
+
- A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.
124
130
125
131
See the article, [How to: Require app protection policy and an approved client app for cloud app access with Conditional Access](app-protection-based-conditional-access.md) for configuration examples.
0 commit comments