Just today a new option showed up in my Azure Active Directory AzureAD, Under Sccess Controls – Grant – Require approved client app (preview).

Here is the link to list of approved client apps

It seems like a great feature specielt on Windows device. On IOS and Android we have MAM with application conditional access, this seems like it is working on all platforms – and that is great news.

I started by testing on Windows – I want to block access to all client apps that are not in the approved app list, and I don’t care if the device is compliant or not.

So first I created a new Conditional Access rule.

Assign it to a test group of users.

Select Office 365 Exchange Online under Cloud apps

CA - Approved client app - 000

Go to Conditions

Select Platform

Select Windows

CA - Approved client app - 001

Go to Access control

Grant access

Select “Require approved client app (preview)”

CA - Approved client app - 002

Under Enable policy

select ON

Then you are ready to test.

How does it looks like on the client site on the build in Windows mail app

After the first setup page with username and password – we get this message:

Devices or client applications that meet osddeployment management compliance policy

CA - Approved client app - 01

If we take a closer look – we can see that the devices is compliant – so we are blocked based on the app we are using.

CA - Approved client app - 02

Then I started Outlook 2016 and I got access to my mail.

CA - Approved client app - 03


This blogpost has bee ncreated with little testing and will get updated when I have had the chance to test more.