Plan for Change: "Require approved client app" control in Azure AD Conditional Access will be retired in March 2026

In March 2026, Azure Active Directory (Azure AD) and Microsoft Intune will retire the Conditional Access “Require approved client app” grant control. Instead we recommend utilizing the "Require application protection policy" grant control, which provides the same data loss and protection with additional benefits.

How this will affect your organization:

If you have a Conditional Access policy with "Require approved client app" grant control configured, after this change, you will no longer be able to enforce this control, it will be as if this grant is not selected.

What you need to do to prepare:

We recommend updating your Conditional Access policy to using the "Require application protection policy" grant control. For more information, see Migrate approved client app to application protection policy in Conditional Access.