Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026
Services
Summary
"Require approved client app" control in Microsoft Entra Conditional Access will be retired in March 2026. Organizations should update their policies to use the "Require application protection policy" grant control. For more information, visit the provided link.
Details
As mentioned in MC540749, in March 2026, Microsoft Entra ID (formerly known as Azure Active Directory) and Microsoft Intune will retire the Conditional Access “Require approved client app” grant control. Instead we recommend utilizing the "Require application protection policy" grant control, which provides the same data loss and protection with additional benefits.
How this will affect your organization:
If you have a Conditional Access policy with "Require approved client app" grant control configured, after this change, you will no longer be able to enforce this control, it will be as if this grant is not selected.
What you need to do to prepare:
We recommend updating your Conditional Access policy to using the "Require application protection policy" grant control. For more information, see Migrate approved client app to application protection policy in Conditional Access.