Employees often access corporate data using smartphones and tablets — many of which are personal, unmanaged devices. While mobile access increases flexibility and productivity, it also introduces security risks if data is downloaded, copied, or shared outside of approved apps or environments. This lesson focuses on how to use Conditional Access to enforce App Protection Policies . These policies allow organizations to protect company data at the app level, rather than the device level, by controlling how data is accessed, used, and stored within mobile apps like Outlook, OneDrive, and Teams. By requiring an App Protection Policy before allowing access to Microsoft 365 services, you ensure that sensitive information remains secure — even on personal devices — without needing to enroll them in full device management.

  1. Log into the Entra Admin Center or click on Home if you are already in Entra.

  2. From the Navigation Pane under Protection, select Conditional Access.

  1. Select + Create New policy.

  1. Name the policy: CA05: Require App Protection Policy

  1. Under Users click on 0 Users and groups selected.

  1. Click on Include then select All users.

  1. Under Exclude, click on the box next to Users and groups.

    Note: if the pop-up window does not open automatically, click on 0 users and groups selected.

  1. In the pop-up window, select the Emergency Access Account

  2. Click on Select at the bottom of the screen.

  1. Under Target resources click No target resources selected.

  1. Under Include, select All resources (formerly ‘All cloud apps’)

  1. Under Conditions, click 0 conditions selected

  1. Under Device platforms, click Not configured

  2. Click Yes to configure the settings

  3. Under Include, click Select device platforms then Android and iOS

  1. Click Exclude then click on the boxes next to macOS and Linux.

  2. Click Done.

  1. Under Grant, click 0 controls selected

  1. Click Grant access

  2. Click Require app protection policy

  3. Click Require one of the selected controls

  1. At the bottom of the page under Enable policy, select Report-only then Proceed with selected configuration. The tenant is not configured for macOS and Linux and may receive prompts when the device is checked for compliance

  2. Click on Create to finalize this policy.