🎯 Purpose
✅ Require all users on iOS and Android to use approved client applications protected by Intune App Protection Policies (MAM) when accessing Office 365.
➡️ Ensures corporate data on mobile devices is only accessed through secured, managed, and protected applications.
👥 Who is affected
✅ Users: All users
🚫 Exclusions:
One exception group (typically break‑glass, service accounts, or testing bypass)
All external users (internal guests, B2B guests, B2B members, Direct Connect users, service providers)
➡️ Only internal members are subject to the MAM enforcement.
☁️ What access is protected
✅ Applications: Office 365 (service principal: Office365)
✅ Client types:
Browser
Mobile apps & desktop clients
➡️ On mobile devices, even browsers (Safari/Chrome) are affected unless specifically excluded.
🔐 How access is enforced
✅ Platform restrictions:
iOS
Android
➡️ Policy applies only on mobile OS platforms that support MAM controls.
🔐 Required controls
✅ Approved client application required
(Control: compliantApplication)
➡️ Users must sign in using an Intune‑approved app and that app must be governed by an App Protection Policy (APP/MAM).
❗ Because the operator is OR, adding other controls later would allow any single control to satisfy access.
With only one control present, this functions exactly as Require approved client app.
🕒 Session controls
✅ Sign‑in Frequency:
Every 14 days
Applies to both primary and secondary authentication
Enabled
➡️ Ensures periodic re‑authentication to maintain mobile session hygiene.
🚫 All other session controls are not configured (CAE, secure sign‑in session, persistent browser, etc.)
⚙️ What this policy does NOT enforce
🚫 MFA requirements
🚫 Device compliance (MDM)
🚫 Risk-based conditions
🚫 Location restrictions
🚫 Device filters
🚫 Authentication context
➡️ The policy’s sole purpose is enforcing App Protection/MAM access to Office 365 on iOS and Android.
🟢 Policy status
⚠️ Report‑Only Mode (enabledForReportingButNotEnforced)
➡️ Monitoring impact only — not actively blocking or enforcing requirements yet.
📘 Security Alignment
✅ Supports secure mobile access and data protection on unmanaged BYO devices
➡️ Ensures only protected apps can access corporate data
ℹ️ An important baseline for MAM‑focused mobile governance and data leakage prevention.
📘 Practical Interpretation (Executive‑Friendly)
This Conditional Access policy ensures that:
✅ Any internal user
📱 Signing in on iOS or Android
➡ Must use an approved, Intune‑protected application to access Office 365
This prevents sensitive data from being accessed via unmanaged or insecure mobile apps, strengthening your mobile security posture and reducing data leakage risk.