Conditional Access require Approved Client App

Mario 1 Reputation point
2020-10-09T16:05:39.12+00:00

Hi,
I have noticed the following situation,

I have two M365 environments, in both environments is a conditional access policy that allows access to Exchange-Online only with "Approved Apps".
https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app

In order for authentication and device registration to work, the apporved apps require a Broker app.
For iOS it is the Microsoft Authenticator
For Android it is the Intune Company portal app

I noticed the problem caused by these Broker Apps.
With the Microsoft Authenticator you can register more than one account (Account-Tenant A and Account-Tenant B)
With the Intune Company portal app, this is exactly not possible. That means if the device is already registered with the normal Tenant A account, the Tenant B account cannot be added.

Why is the bevavior so different?
Is this a bug or a feature?

Thank you for your help.

Regards
Mario

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,968 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,367 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mohammad Zmaili 1 Reputation point Microsoft Employee
    2020-10-11T13:43:15.99+00:00

    In order to leverage Approved Client app Conditional Access, a device should be registered to the tenant where CX policy enabled. And a device (IOS or Android) can be registered to a single tenant.

    You can add multiple accounts in MS Authenticator app, but this will not registered the device to multiple tenants, in different words, even if you added more than account in MS Authenticator application, the device will be registered to a single tenant.

    Additionally, on IOS, broker app is Microsoft Authenticator. But on Android, broker app is either Microsoft Authenticator or the Microsoft Company portal (the first installed).

    0 comments
  2. Mario 1 Reputation point
    2020-10-11T14:39:00.387+00:00

    Hm,
    it's strange, with an iOS device it is possible. I have registered the iOS device in more than one Tenant. So the conditional access policy works as expected.

    Only with Android it does not work. Because here the Enterprise Portal App is needed.
    With the authenticator app it does not work on Android.

    Regards
    Mario

    0 comments
  3. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2020-10-11T18:13:56+00:00

    For Android -company portal contains (MAM code) in the broker authentication. which is needed for approved app conditions. as well company portal always enrolled to single tenant.

    IOS, I see you mentioned registered device with more than one tenant. How did you do that ?. Because if I go there into Settings --> device Registration --> it always show email id of the tenant I registered. (not multiple account).
    Adding multiple accounts into authenticator app not equal to registering device into multiple tenants.

    Hop this helps

    Thanks
    Nagappan V

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.