This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 73%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi,
I have managed all Microsoft apps with intunes and created 2 "App protection policies" for iOS and Android BOD devices (managed devices have their own policies).
1 policy limits things i need (like required unlock PIN ecc..) and is assigned to AD group "A"
1 policy limits everything and wipes data almost immediately and is assigned to AD group "B"
I've created these policies and the idea is that if I have a problem with devices (stollen ecc) of a user in group A I can move them in group B and know things will be deleted. (yes I will also use the "app selective wipe").
My only problem now is that if a user (by mistake) is neither in AD group A or B they have free use of the apps because they don't have an assigned policy. Where is it that I can specify that any user not in group A or B or that don't have a policy can't use the apps with the company credentials?
Thanks,
James
You'll have to create an additional policy for this. Instead, why not assign your first policy to All Users and Exclude the members of Group B in the assignment?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@James , From your description, it seems we want to block the users not in group A or B to access the application, If there's any misunderstanding, please let us know.
For the app, if it is cloud app, we can try to configure a Conditional access policy to accomplish this. We can assign the policy to All Users exclude group A and B. We can see more details in the following link:
https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups
Select the cloud app, configure the conditions, and set Grant as "Block access"
https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Here is a link talking about the setting under condition access policy, we cna refer to it:
https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@James , Hope everything is going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.