Teams Mobile App with Conditional Access and App Protection Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2235413%22%20slang%3D%22en-US%22%3ETeams%20Mobile%20App%20with%20Conditional%20Access%20and%20App%20Protection%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235413%22%20slang%3D%22en-US%22%3E%3CP%3EAccording%20to%20the%20Conditional%20Access%20doc%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERequire%20App%20Protection%20Policy%3C%2FA%3E%26nbsp%3B%2C%20%22Microsoft%20Teams...%20do%20not%20support%20the%26nbsp%3B%3CSTRONG%3ERequire%20app%20protection%20policy%26nbsp%3B%3C%2FSTRONG%3Egrant.%26nbsp%3B%20If%20you%20require%20these%20apps%20to%20work%2C%20please%20use%20the%26nbsp%3B%3CSTRONG%3ERequire%20approved%20apps%3C%2FSTRONG%3E%20grant%20exclusively.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20does%20not%20mean%20that%20an%20App%20Protection%20Policy%20cannot%20be%20applied%20to%20Teams%20mobile%20app%2C%20but%20rather%20that%20Conditional%20Access%20cannot%20use%20it%20as%20a%20control%20to%20guarantee%20access%20from%20a%20mobile%20device%20has%20a%20managed%20app%20being%20used.%26nbsp%3B%20This%20presents%20a%20potential%20security%20risk%20in%20that%20data%20within%20the%20Teams%20mobile%20app%20could%20be%20extracted%20to%20non-managed%20apps%2C%20such%20as%20the%20Files%20app%20within%20iOS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20heavy%20dependency%20and%20promotion%20of%20Teams%20today%2C%20what%20are%20ways%20to%20allow%20the%20use%20of%20the%20Teams%20mobile%20app%20while%20also%20preventing%20data%20from%20being%20extracted%20to%20uncontrolled%20locations%2Fservices%3F%26nbsp%3B%20Assuming%20device%20enrollment%20is%20not%20being%20considered%20for%20BYOD%20and%20that%20a%20MAM-only%20approach%20is%20desired%2C%20what%20options%20would%20that%20leave%3F%26nbsp%3B%20Curious%20for%20other%20perspectives%20or%20opinions%20on%20this%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2235413%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBest%20Practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2436758%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Mobile%20App%20with%20Conditional%20Access%20and%20App%20Protection%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2436758%22%20slang%3D%22en-US%22%3EThis%20is%20a%20big%20holdup%20for%20MAM-WE%20adoption.%20Sure%2C%20you%20could%20exclude%20Teams%20from%20the%20policy%20but%20then%20you%20have%20to%20make%20changes%20to%20the%20App%20Protection%20policy%20to%20allow%20it%20to%20become%20useful%20and%20interact%20with%20other%20managed%20apps%20and%20in%20the%20process%20create%20a%20giant%20hole%20in%20the%20entire%20structure.%20Teams%20is%20a%20primary%20collaboration%20tool%20for%20a%20lot%20of%20organizations%20and%20this%20will%20absolutely%20keep%20organizations%20from%20adopting%20MAM-WE.%3C%2FLINGO-BODY%3E
Occasional Contributor

According to the Conditional Access doc Require App Protection Policy , "Microsoft Teams... do not support the Require app protection policy grant.  If you require these apps to work, please use the Require approved apps grant exclusively."

 

This does not mean that an App Protection Policy cannot be applied to Teams mobile app, but rather that Conditional Access cannot use it as a control to guarantee access from a mobile device has a managed app being used.  This presents a potential security risk in that data within the Teams mobile app could be extracted to non-managed apps, such as the Files app within iOS.

 

With the heavy dependency and promotion of Teams today, what are ways to allow the use of the Teams mobile app while also preventing data from being extracted to uncontrolled locations/services?  Assuming device enrollment is not being considered for BYOD and that a MAM-only approach is desired, what options would that leave?  Curious for other perspectives or opinions on this scenario.

 

2 Replies
This is a big holdup for MAM-WE adoption. Sure, you could exclude Teams from the policy but then you have to make changes to the App Protection policy to allow it to become useful and interact with other managed apps and in the process create a giant hole in the entire structure. Teams is a primary collaboration tool for a lot of organizations and this will absolutely keep organizations from adopting MAM-WE.
Looks like this will be available on 31 July 2021. See copy of Message center post.

Microsoft Teams: Require app protection policy conditional access grant
MC266463 · Published 2 Jul 2021

Message Summary
This release of app protection policy based Conditional Access in Microsoft Teams will help protect your organizational data on devices your employees use by ensuring that only users with Intune app protection policy can access Microsoft 365 services from Teams.

This message is associated with Microsoft 365 Roadmap ID 87773

When this will happen:

Teams support for app protection policy based Conditional Access will be available as of July 31, 2021This is rolling out default off and this change will not impact your organization if you do not enable require app protection policy grant in your Conditional Access policies.

If you enable require app protection policy grant, access to Teams will be restricted to only users who have app protection policies applied on their account.

What you need to do to prepare:

Please familiarize yourself with the App protection policy based Conditional Access.

Learn more:

Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs
App-based Conditional Access with Intune - Microsoft Intune | Microsoft Docs
App protection policies with Conditional Access - Azure Active Directory | Microsoft Docs