In today’s BYOD (Bring Your Own Device) world, controlling which applications can access corporate data is essential for data protection. Microsoft’s Conditional Access and Intune App Protection Policies work hand in hand to ensure that users on personal mobile devices only use secure, managed apps. This blog post explains how to set up a new Conditional Access policy that enforces “Require app protection policy” for personal devices, effectively ensuring corporate data is accessed only via apps protected by Intune.

What You’ll Need

1. Microsoft Entra ID Plan 1 license to create and manage Conditional Access policies.

2. Microsoft Intune Plan 1 license to create Intune app protection policies.

3. Intune App Protection Policy for iOS and Android devices (see Microsoft’s guide: Create an app protection policy).

4. Personal mobile devices (BYOD) used by your workforce.

This approach ensures that any user device (iOS or Android) not covered by an Intune App Protection Policy cannot access corporate data.

Why Approved Apps on Personal Mobile Devices Matters

• Enhanced Security: Blocks access from unmanaged or non-compliant apps, reducing the risk of data leaks.

• BYOD Friendly: Employees can use personal devices, but still comply with corporate security standards.

• Better Compliance: Ensures that even if multiple users are on different devices, data is protected by policy-driven rules.

Step-by-Step: Setting Up the Conditional Access Policy

1. Plan Your Scope Decide whether you want this policy to apply to all users or a particular group. Typically, organizations choose “All users” to ensure full coverage.

2. Create a New Conditional Access Policy

   1. Sign into the Microsoft Entra as a Global Administrator or Conditional Access Administrator.

   2. Go to Protection > Conditional Access.

   3. Select Create new policy.

3. Under Assignments, select Users or workload identities.

   1. Under Include, select All users.

   2. Under Exclude, select Users and groups and exclude at least one account to prevent yourself from being locked out. If you don't exclude any accounts, you can't create the policy.

4. Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').

5. Under Conditions > Device platforms, set Configure to Yes.

   1. Under Include, Select device platforms.

   2. Choose Android and iOS.

   3. Select Done.

6. Under Access controls > Grant, select Grant access.

   1. Select Require app protection policy (The list of approved Apps on personal mobile devices which support this setting check here)

   2. For multiple controls select Require one of the selected controls

7. Confirm your settings and set Enable policy to Report-only.

8. Select Create to create to enable your policy.

Intune App Protection Policy: The Other Half of the Puzzle

The Conditional Access policy you just created relies on having a properly configured Intune App Protection Policy. This policy specifies which applications (e.g., Outlook, Teams, OneDrive) are considered “protected” and applies data-handling rules such as preventing copy-and-paste of corporate data into personal apps. For more details on setting up this policy, see Microsoft’s documentation here:

Create an app protection policy in Microsoft Intune

Key Points to Configure in Your App Protection Policy:

• Target Specific Apps: e.g., Outlook for iOS and Android, OneDrive, Microsoft Teams.

• Data Protection Rules: Restrict copy/paste, block saving to unmanaged storage, and control user access based on device compliance.

• Conditional Launch: Define how users authenticate to the app and what triggers a wipe or sign-out (e.g., if the device is jailbroken).

Testing and Validation

1. User Attempts to Sign In

   • On a personal mobile device, the user tries to access Outlook or another Microsoft 365 app.

2. Conditional Access Check

   • Azure AD evaluates the device and user context.

   • Since you’ve set “Require app protection policy”, Azure AD checks if the app has Intune protection in place.

3. Allowed or Blocked

   • If the app is protected, sign-in proceeds normally.

   • If not, access is denied.

Conclusion

Implementing the “Require app protection policy” grant within Conditional Access ensures employees on personal mobile devices can only access corporate data through secure, managed apps. This approach offers robust data protection without making it cumbersome for end users, especially in BYOD environments.

By combining Azure AD Conditional Access with Intune App Protection policies, you build a layered security model. Your staff can work flexibly from anywhere, while your data remains protected against leaks and unauthorized use.

Ready to tighten your mobile security posture? Take the first step by setting up an Intune App Protection Policy, then enforce it using Conditional Access. You’ll gain peace of mind knowing that employees are securely accessing company resources—no matter where they’re working from.

At Plexhosted, we specialize in guiding businesses through secure Microsoft 365 setups, including Conditional Access and Intune App Protection. Our experts can help you customize policies, ensure smooth rollouts, and maintain compliance—all while letting your team work seamlessly from any device. Let us know if you have questions or need assistance designing a BYOD-friendly security strategy.