In Azure AD, blocking apps had been particularly difficult in past years, but with a recent feature rollout in conditional access, the process just got easier. This new feature which functions as a grant, requires that apps abide by an app protection policy before access is given.  

You can check out the apps that have been confirmed to support the new feature here, then learn how you can restrict apps by leveraging conditional access below: 

Before you enable the conditional access grant below, ensure the apps that you do not want to be blocked are in at least one app protection policy within Intune. 

IN INTUNE 

1. Access the Apps Panel in Intune 

2. Select Intune App protection 

3. Verify that an app protection policy exists that includes that apps that you WOULD NOT like to be blocked

   

   Once complete, move over to Azure AD/ Conditional Access and follow the remaining steps 

   1. Access the specific policy you’d like to include in your blocking method (in this case I’ve named the policy “M365 App Protection” 

   2. Access the Conditional Access Policy Panel  

   3. Click into the “Grant” Option 

   4. Select “Require app protection policy”  employee experience for their workforce. 

      

If you’ve performed the block successfully end users will see one of two screens 

Sample one: adding email to a native iOS app (unsupported) 

Sample two: 

User trying to sign in to a supported app that isn’t assigned to an app protection policy