Forum Discussion
Conditional Access Application Protection Exemption
I have a conditional access policy scoped against "All Cloud Apps" - excluding "Apple Internet Accounts" (f8d98a96-0999-43f5-8af3-69971c7bb423). This policy requires approved client app and app prote...
Hi AndyK
IOS native mail App is not part of either the approved client apps or the Require App Protection list, so you can’t excluded it from CA.
It’s added in your tenant as an Enterprise App because your users has used it to access their email before, like any other enterprise app (Acrobat for example).
In another word, this CA grants access to the approved apps/ Require App Protection in the list below-
Hope this helps!
Moe
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app
- So is it not possible to force an approved MS application, and/or the iOS Mail, via the conditional access policies? I had built a configuration policy which effectively forced ONLY the contacts/calendar exchange sync using that and it works already... I was hoping that I could allow looser control over these sources while ensuring mail was still locked into Outlook.
- You can’t exclude IOS mail app from Conditional Access because it is not part the Approved apps or Require App Protection lists. It’s not a bug, IOS native mail needs to be an approved app to be allowed.
So if you want use an approved apps CA, you need to push the users to use Outlook app.
Hope this answers your question!
Moe
