As an administrator, there’s likely going to be a time where you will need to restrict certain apps from accessing your network on particular devices. It’s not an uncommon practice and the need to block apps is more often than not stems from data security needs. 

In Azure AD, blocking apps had been particularly difficult in past years, but with a recent feature rollout in conditional access, the process just got easier. This new feature which functions as a grant, requires that apps abide by an app protection policy before access is given.  

You can check out the apps that have been confirmed to support the new feature here, then learn how you can restrict apps by leveraging conditional access below: 


Before you enable the conditional access grant below, ensure the apps that you do not want to be blocked are in at least one app protection policy within Intune. 



  1. Access the Apps Panel in Intune 

  2. Select Intune App protection 

  3. Verify that an app protection policy exists that includes that apps that you WOULD NOT like to be blocked

    Once complete, move over to Azure AD/ Conditional Access and follow the remaining steps 

    1. Access the specific policy you’d like to include in your blocking method (in this case I’ve named the policy “M365 App Protection” 

    2. Access the Conditional Access Policy Panel  

    3. Click into the “Grant” Option 

    4. Select “Require app protection policy”  employee experience for their workforce. 

If you’ve performed the block successfully end users will see one of two screens 

Sample one: adding email to a native iOS app (unsupported) 


Sample two: 

User trying to sign in to a supported app that isn’t assigned to an app protection policy


Download the MDM Migration Guide

By reading the guide, you’ll learn: 

  • How to plan and configure your new environment build.

  • Three ways to test and validate your migration before it begins.

  • How to segment and support users to ensure rapid adoption.