SOLVED
Home

Conditional Access "Require App Protection Policy" blocks first launch

%3CLINGO-SUB%20id%3D%22lingo-sub-804285%22%20slang%3D%22en-US%22%3EConditional%20Access%20%22Require%20App%20Protection%20Policy%22%20blocks%20first%20launch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804285%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20launch%20OneDrive%20on%20a%20brand%20new%20iPhone%20the%26nbsp%3BConditional%20Access%20policy%20%22Require%20App%20Protection%22%20blocks%20the%20app%20since%20the%20app%20protection%20is%20not%20yet%20configured.%3C%2FP%3E%3CP%3EIf%20I%20disable%20the%20CA%20policy%2C%20launch%20OneDrive%20so%20it%20can%20apply%20App%20Protection%20then%20reenable%20the%20CA%20policy%20it%20works%20fine.%3C%2FP%3E%3CP%3EIs%20it%20the%20normal%20behavior%3F%20Do%20we%20have%20to%20disable%20the%20CA%20policy%20everytime%20we%20prepare%20a%20new%20phone%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-804285%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eapp%20protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805184%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Require%20App%20Protection%20Policy%22%20blocks%20first%20launch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805184%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20configured%20all%20the%20prerequisites%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23prerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23prerequisites%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805217%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Require%20App%20Protection%20Policy%22%20blocks%20first%20launch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805217%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20All%20prerequisites%20are%20OK!%20I%20found%20out%20this%20happens%20with%20MS%20Teams%2C%20not%20with%20OneDrive.%3C%2FP%3E%3CP%3EI%20think%20I%20figured%20out%20what%20is%20the%20problem%2C%20the%26nbsp%3B%22Azure%20Active%20Directory%20Conditional%20Access%20settings%20reference%22%20doc%20indicates%20only%205%20apps%20are%20currently%20supported%20(%3CSPAN%3ECortana%2C%20Edge%2C%20OneDrive%2C%20Outlook%20and%20Planner)%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23app-protection-policy-requirement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23app-protection-policy-requirement%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%20the%26nbsp%3B%22Require%20app%20protection%20policy%20for%20cloud%20app%20access%20with%20Conditional%20Access%20(preview)%22%20does%20not%20mention%20it%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%3C%2FA%3E%3C%2FP%3E%3CP%3ESo%20this%20policy%20can't%20apply%20to%20Teams%20and%20other%20unsupported%20apps%2C%20meaning%20it%20is%20pretty%20useless%20for%20now%2C%20until%20all%20cloud%20apps%20become%20supported...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805227%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Require%20App%20Protection%20Policy%22%20blocks%20first%20launch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805227%22%20slang%3D%22en-US%22%3E%3CP%3EMakes%20sense%20then%2C%20Teams%20is%20indeed%20currently%20not%20supported.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-814392%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Require%20App%20Protection%20Policy%22%20blocks%20first%20launch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20One%20more%20thing%2C%20if%20you%20exclude%20the%20user%20from%20the%20CA%20policy%20requiring%20App%20Protection%2C%20launch%20Teams%20once%2C%20then%20include%20back%20the%20user%20in%20the%20CA%20policy%2C%20it%20works!%3C%2FP%3E%3CP%3ESeems%20like%20the%20CA%20policy%20does%20not%20let%20Teams%20applying%20the%20App%20Protection%20before%20checking%20access%20so%20you%20have%20to%20apply%20the%20App%20Protection%20first%20then%20apply%20the%20CA%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E
MatAitAzzouzene
Occasional Contributor

Hi all,

 

When I launch OneDrive on a brand new iPhone the Conditional Access policy "Require App Protection" blocks the app since the app protection is not yet configured.

If I disable the CA policy, launch OneDrive so it can apply App Protection then reenable the CA policy it works fine.

Is it the normal behavior? Do we have to disable the CA policy everytime we prepare a new phone?

4 Replies
Solution

@Vasil Michev  All prerequisites are OK! I found out this happens with MS Teams, not with OneDrive.

I think I figured out what is the problem, the "Azure Active Directory Conditional Access settings reference" doc indicates only 5 apps are currently supported (Cortana, Edge, OneDrive, Outlook and Planner):

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#app-p...

But the "Require app protection policy for cloud app access with Conditional Access (preview)" does not mention it:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-cond...

So this policy can't apply to Teams and other unsupported apps, meaning it is pretty useless for now, until all cloud apps become supported...

Makes sense then, Teams is indeed currently not supported.

@Vasil Michev  One more thing, if you exclude the user from the CA policy requiring App Protection, launch Teams once, then include back the user in the CA policy, it works!

Seems like the CA policy does not let Teams applying the App Protection before checking access so you have to apply the App Protection first then apply the CA policy.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies