You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications. With Conditional Access, organizations can restrict access to approved (modern authentication capable) client apps with Intune app protection policies applied to them.
21
21
22
-
This article presents two scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
22
+
This article presents three scenarios to configure Conditional Access policies for resources like Office 365, Exchange Online, and SharePoint Online.
-[Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy](#scenario-3-exchange-online-and-sharepoint-online-require-an-approved-client-app-and-app-protection-policy)
26
27
27
28
In the Conditional Access, these client apps are known to be protected with an app protection policy. More information about app protection policies can be found in the article, [App protection policies overview](/intune/apps/app-protection-policy)
28
29
@@ -83,7 +84,40 @@ For the Conditional Access policy in this step, configure the following componen
83
84
84
85
Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS.
85
86
86
-
## Scenario 2: Exchange Online and SharePoint Online require an approved client app and app protection policy
In this scenario, Contoso has decided that all mobile web browsing access to Office 365 resources must use an approved client app, like Edge for iOS and Android, protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
90
+
91
+
Organizations must complete the following steps in order to require the use of an approved client app on mobile devices.
92
+
93
+
**Step 1: Configure an Azure AD Conditional Access policy for Office 365**
94
+
95
+
1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
96
+
1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
97
+
1. Select **New policy**.
98
+
1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
99
+
1. Under **Assignments**, select **Users and groups**
100
+
1. Under **Include**, select **All users** or the specific **Users and groups** you wish to apply this policy to.
101
+
1. Select **Done**.
102
+
1. Under **Cloud apps or actions** > **Include**, select **Office 365 (preview)**.
103
+
1. Under **Conditions**, select **Device platforms**.
104
+
1. Set **Configure** to **Yes**.
105
+
1. Include **Android** and **iOS**.
106
+
1. Under **Conditions**, select **Client apps (preview)**.
107
+
1. Set **Configure** to **Yes**.
108
+
1. Select **Browser**.
109
+
1. Under **Access controls** > **Grant**, select the following options:
110
+
-**Require approved client app**
111
+
-**Require app protection policy (preview)**
112
+
-**Require all the selected controls**
113
+
1. Confirm your settings and set **Enable policy** to **On**.
114
+
1. Select **Create** to create and enable your policy.
115
+
116
+
**Step 2: Configure Intune app protection policy for iOS and Android client applications**
117
+
118
+
Review the article [How to create and assign app protection policies](/intune/apps/app-protection-policies), for steps to create app protection policies for Android and iOS.
119
+
120
+
## Scenario 3: Exchange Online and SharePoint Online require an approved client app and app protection policy
87
121
88
122
In this scenario, Contoso has decided that users may only access email and SharePoint data on mobile devices as long as they use an approved client app like Outlook mobile protected by an app protection policy prior to receiving access. All of their users already sign in with Azure AD credentials and have licenses assigned to them that include Azure AD Premium P1 or P2 and Microsoft Intune.
0 commit comments