𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐢𝐬 𝐫𝐞𝐭𝐢𝐫𝐢𝐧𝐠 𝐭𝐡𝐞 “𝐑𝐞𝐪𝐮𝐢𝐫𝐞 𝐚𝐩𝐩𝐫𝐨𝐯𝐞𝐝 𝐜𝐥𝐢𝐞𝐧𝐭 𝐚𝐩𝐩” 𝐜𝐨𝐧𝐭𝐫𝐨𝐥 𝐢𝐧 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐨𝐧 𝐉𝐮𝐧𝐞 30, 2026 (𝐩𝐫𝐞𝐯𝐢𝐨𝐮𝐬𝐥𝐲 𝐌𝐚𝐫𝐜𝐡 2026).
After June 30, 2026, the “Require approved client app” grant control will stop enforcing entirely as if it was never selected.
𝐖𝐡𝐲 𝐭𝐡𝐞 𝐂𝐡𝐚𝐧𝐠𝐞:
Microsoft is consolidating security controls to streamline management and enhance protection. The “Require app protection policy” control provides equivalent security with additional data loss prevention capabilities, making the older “approved client app” control redundant.
If you have Conditional Access policies configured with this grant control, it’s time to plan your migration.
𝑲𝒆𝒚 𝑪𝒐𝒏𝒔𝒊𝒅𝒆𝒓𝒂𝒕𝒊𝒐𝒏𝒔:
▪ Not all approved apps support app protection policies – verify compatibility.
▪ Test in Report-only mode before full enforcement.
▪ Ensure corresponding Intune app protection policies are configured.
You can find the steps to migrate approved client app to application protection policy in Conditional Access from the official Microsoft documentation.