Mobile devices shall only be able to access corporate data through approved client apps

Description

Conditional Access policies can be set up to only allow access to corporate data on client approved apps. This setting would prevent a user from leveraging the native mail client on their mobile application. A client that you are not able to control or wipe if they leave the organization.

Policy

  • Mobile devices shall only be able to access corporate data through approved client apps

Licensing Considerations

This setting requires at least an Azure AD P1 license which comes standalone or as part of the following bundles:

  • EMS+E3/E5

  • Microsoft 365 Business Premium

  • Microsoft 365 E3

  • Microsoft 365 E5

Set-Up Instructions

  1. Follow the steps outlined here to create a conditional access policy that requires approved client apps for mobile devices.

  2. In the Access Controls, only select the Required Approved Client App settings

*Note* You may chose to app the require app protection policy setting here as well but it will required that these devices enroll in the MDM solution. More information here: Grant controls in Conditional Access policy - Azure Active Directory - Microsoft Entra | Microsoft Learn

End-User Impact

Level: Medium

If a user goes to access corporate data on an unapproved client app, like the native mail app on the mobile device, they will be redirected to the Apple Store or Google Play store to download the approved client app (in this case, Outlook).

Tips

App Protection policies can be scoped to managed or unmanaged devices. If you have them scoped to managed devices, its likely you will want to include the “Require App Protection Policy” setting in the grant controls of the conditional access policy

PowerShell Scripts

None Currently

Videos

PreviousApp Protection policies should be created for mobile devicesNextLockout screen and password settings shall be configured for each device

Last updated