check before: 2026-03-01
Product:
Azure Active Directory, Entra, Entra ID, Intune, Microsoft 365 Apps
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Retirement
Details:
In March 2026, Azure Active Directory (Azure AD) and Microsoft Intune will retire the Conditional Access "Require approved client app" grant control. Instead we recommend utilizing the "Require application protection policy" grant control, which provides the same data loss and protection with additional benefits.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2023-04-13
updated:
2024-08-10
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
More Info URL
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Loss of Data Protection
Without the 'Require approved client app' control, data protection measures will be weakened, potentially leading to data breaches or loss.
- roles: IT Security Manager, Compliance Officer
- references: https://learn.microsoft.com/azure/active-directory/conditional-access/migrate-approved-client-app
Increased User Access Issues
Users may face access issues if their applications are not compliant with the new 'Require application protection policy' control, leading to disruptions in their workflow.
- roles: End User, Help Desk Support
- references: https://learn.microsoft.com/azure/active-directory/conditional-access/migrate-approved-client-app
Compliance Risks
Retiring the control without proper transition may lead to non-compliance with data protection regulations, risking legal penalties.
- roles: Compliance Officer, Data Protection Officer
- references: https://learn.microsoft.com/azure/active-directory/conditional-access/migrate-approved-client-app
Increased Support Tickets
The transition may result in a surge of support tickets from users experiencing issues with application access, straining IT resources.
- roles: Help Desk Support, IT Operations Manager
- references: https://learn.microsoft.com/azure/active-directory/conditional-access/migrate-approved-client-app
User Experience Degradation
Users accustomed to the previous control may find the new requirements confusing, leading to frustration and decreased productivity.
- roles: End User, IT Trainer
- references: https://learn.microsoft.com/azure/active-directory/conditional-access/migrate-approved-client-app
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
In the world of technology, changes often occur to improve systems and enhance security. One such change is happening with Microsoft Entra ID (formerly Azure Active Directory) and Microsoft Intune. By March 2026, a specific security feature called "Require approved client app" will be retired. Think of this feature as a security guard at the entrance of a building, only allowing certain people (or apps) to enter. After March 2026, this particular guard will no longer be on duty.
Instead, Microsoft suggests using a new security measure called "Require application protection policy." This new feature is like hiring a more advanced security system that not only checks who enters but also ensures that they follow specific rules once inside. This system offers the same level of security as the old guard but with additional benefits.
For organizations currently using the "Require approved client app" feature, it's important to transition to the new "Require application protection policy" to maintain security standards. This change is similar to upgrading from a traditional lock to a smart lock that offers more control and flexibility.
To prepare for this transition, organizations should review their current security policies and update them to incorporate the new protection policy. This ensures that when the old feature is retired, there won't be any gaps in security. Microsoft provides resources and guidance to help with this transition, making it as smooth as possible.
In summary, while change can be challenging, it often leads to better security and improved functionality. By adopting the new "Require application protection policy," organizations can ensure their systems remain secure and up-to-date.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago ago
