Forum Discussion
Conditional Access - Require multi-factor authentication
Thanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.
To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.
Anyone?
the conditional access is setup in AzureAD, I have enabled MFA and require approved client app, I expected native mail apps in iOS/Android to stop working. I've read an article that Intune this can be achieved using Intune App Protection but we don't want to use Intune. Is this possible or is Intune a requirement to work with the AzureAD Conditional Access?
Also what rules have you configured for your Conditional Access, are you targeting Apps or device platforms
We exclude internal IPs.
CA Policy
Users: All users
Cloud Apps: O365 Exchange online
Conditions:
device platforms: All platforms
Client apps: Mobile apps and desktop clients
Access Control:
Require MFA
Require Approved client app
Require all the selected controls (Grant Access to both)
- Policies are disabled by default, could you please confirm that the policy is enabled ?
im trying to reproduce this policy with a test user and will get back to you.- Another option is to create a device policy to block all devices except Outlook for iOS and Android, but not sure if this will cause issues with anything else. going through testing.