Forum Discussion
App Protection Policy is not working when i have Company Portal app is installed and signed in.
- Hi,
App protection could really take some time to apply
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery#:~:text=Application%20protection%20policy%20delivery%20depends,service%20registration%20for%20your%20users.&text=12%20hours%20%2D%20However%2C%20on%20Android,the%20interval%20is%2024%20hours.
I did some deep dive into app protection policies some weeks ago...sometimes it really took some time before changes in an existing app protection policy applied.
You also could create a conditional access policy to require app protection
Here is the link:
https://call4cloud.nl/2021/03/app-protection-resurgence/
App protection could really take some time to apply
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery#:~:text=Application%20protection%20policy%20delivery%20depends,service%20registration%20for%20your%20users.&text=12%20hours%20%2D%20However%2C%20on%20Android,the%20interval%20is%2024%20hours.
I did some deep dive into app protection policies some weeks ago...sometimes it really took some time before changes in an existing app protection policy applied.
You also could create a conditional access policy to require app protection
Here is the link:
https://call4cloud.nl/2021/03/app-protection-resurgence/
- sbuccimsft
Microsoft
For any conditional access related to App Protection, bookmark this link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy. This contains the list of supported apps and is updated as more Microsoft apps support the Require Approved Apps or Require App Protection policies. This is also where we document that Teams does not currently support Require App Protection, as well as the "or" clause. - sbuccimsftJust note that not all apps support "Require App Protection Policy" conditional access. Please see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy
Hi,
I thought the same thing... But if you take a look at the blog I mentioned ... Requiring approved apps OR app protection is also working with Teams . So you can require approved apps and for the app that do support it... app protection(even when Microsoft docs tells us something else)It may be working, but it is not supported. There are 3 Apps that do not support the OR Grant:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy
Note
Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications.
This is a road block for us. I have the "OR" policy set up and ready to move users to it. It requires stacking policies. I have one that does MFA and TOU with the "AND" grant, and then a policy with the approved app and app protection grants appled with an OR grant. But until Teams offically supports this, I am stuck with my current policies. I do not care about Skype, Visio, or Kaizala. However Teams is a much used app for us. And until it is supported we will not go down that route. This is also great if you only need one or the other, But stacking on MFA and TOU adds complexity. It can be done, by stacking policies, however it is more complex.
- Thank you so much, I will check on this.
