Conditional access policies for app protection policies

Question 1

What is Conditional Access?

Answer 1

A security feature that allows organizations to restrict access to approved client apps.

Question 2

What is the role of Intune app protection policies in Conditional Access?

Answer 2

They enforce access restrictions to modern authentication capable client apps.

Question 3

What are the 10 high level steps to create a Conditional Access policy requiring an approved client app or an app protection policy when using an iOS/iPadOS or Android device in Entra ID ?

Answer 3

1. Entra ID > Conditional Access, Select Create new policy.
2. Give your policy a name
3. Assignments: select Users or workload identities.
4. Under Include, select All users.
5. Under Exclude, select Users and groups and exclude at least one account to prevent yourself from being locked out. If you don’t exclude any accounts, you can’t create the policy.
6. Target resources > Resources > Include, select All resources
7. Under Conditions > Device platforms, set Configure to Yes.
8. Under Include, Select device platforms: Choose Android and iOS.
9. Under Access controls > Grant, select Grant access.
10. Select Require approved client app and Require app protection policy
    For multiple controls select Require one of the selected controls

Question 4

What are the 10 high level steps to Require an app protection policy on Windows devices in Entra ID ?

Answer 4

1. Entra ID > Conditional Access, Select Create new policy.
2. Give your policy a name
3. Assignments: select Users or workload identities.
4. Under Include, select All users.
5. Under Exclude, select Users and groups and exclude at least one account to prevent yourself from being locked out. If you don’t exclude any accounts, you can’t create the policy.
6. Target resources > Resources > Include, select Office365
7. Under Conditions > Device platforms, set Configure to Yes.
8. Under Include, Select device platforms: Choose Windows
9. Under Access controls > Grant, select Grant access.
10. Select Require approved client app and Require device to bbe marked as compliant
    For multiple controls select Require one of the selected controls

Question 5

What are the 8 high level steps to create an app protection policy using conditional launch actions in Intune ?

Answer 5

1. Select Endpoint security, and under Manage, select Conditional access, select Create new policy.
2. enter a policy Name
3. Assignments: select Users You can use the Include or Exclude options to refine the users and groups for the policy.
4. Cloud apps or actions and apply the policy to Cloud apps, Use the Include or Exclude options to select the apps to protect.
5. Optionally, select the Network option: use the Include and Exclude options to specify networks your users can or cannot use for access.
6. Conditions : select Client apps to apply the policy to apps and browsers then select your client app options.
7. Access controls, select Grant to apply control access enforcement based on a device compliance status
   Particular relevance for the control of the use of apps are:
   ■ Require approved client app You can define a list of approved client apps the user must use in order to be granted access. However, this setting is being phased out.
   ■ *Require app protection policy *Requires that a user’s app is protected by an app protection policy before access can be granted.
8. Select and configure the Session option to create session-based restrictions for Office 365, SharePoint Online, and Exchange Online cloud apps.