Mobile devices shall only be able to access corporate data through approved client apps
Description
Conditional Access policies can be set up to only allow access to corporate data on client approved apps. This setting would prevent a user from leveraging the native mail client on their mobile application. A client that you are not able to control or wipe if they leave the organization.
Policy
Mobile devices shall only be able to access corporate data through approved client apps
Licensing Considerations
This setting requires at least an Azure AD P1 license which comes standalone or as part of the following bundles:
EMS+E3/E5
Microsoft 365 Business Premium
Microsoft 365 E3
Microsoft 365 E5
Set-Up Instructions
Follow the steps outlined here to create a conditional access policy that requires approved client apps for mobile devices.
In the Access Controls, only select the Required Approved Client App settings
*Note* You may chose to app the require app protection policy setting here as well but it will required that these devices enroll in the MDM solution. More information here: Grant controls in Conditional Access policy - Azure Active Directory - Microsoft Entra | Microsoft Learn
End-User Impact
Level: Medium
If a user goes to access corporate data on an unapproved client app, like the native mail app on the mobile device, they will be redirected to the Apple Store or Google Play store to download the approved client app (in this case, Outlook).
Tips
App Protection policies can be scoped to managed or unmanaged devices. If you have them scoped to managed devices, its likely you will want to include the “Require App Protection Policy” setting in the grant controls of the conditional access policy
PowerShell Scripts
None Currently
Videos
Last updated
