# CA - Require App Protection Policy

### **Required AAD-role for Conditional Access Policy:**

Global Administrator, Conditional Access Administrator

### Conditional Access Policy

{% hint style="danger" %}
You must have [App Protection Policy](https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/appProtection) for your Devices configured, before you configure this Conditional Access Policy, else access will be blocked. \
See [App Protection Policy - Integration in Microsoft Intune](https://app.gitbook.com/o/ppfQqpWS3ym5iPtSC6tM/s/4v109br9tFl1Rxk2qP0x/~/changes/CR4vmE9IJ0wzV3FIur6m/documentation/deployment-sca/app-protection-policy-integration-in-microsoft-intune)
{% endhint %}

1. Login to Endpoint Manager with your Admin-Account
2. Go to Endpoint security → Conditional access or follow this link:\
   [Conditional Access - Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies)
3. Click on **New policy** to create a new Conditional Access policy
4. Enter a Name for the Policy e.g. “Secure Contacts Conditional Access Policy”
5. Go to ***Users or workload identities*** in *Assignments*
6. *Include* your SCA-Testgroup to **Users and Groups**\
   \
   ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FRKsvRw7hv7zIqy6TU9qL%2Fimage.png?alt=media\&token=f71683ab-5077-465c-892d-fc0c1b463888)
7. Go to ***Cloud apps or actions*** in *Assignments*
8. *Include as Cloud Apps the apps* **Office 365** and **Secure Contacts**\
   \
   ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FzR4Ur3s3amKIeKRLZJgK%2Fimage.png?alt=media\&token=4277b0f5-d4ed-4153-a9af-bc1a37b4b26d)
9. Set mandatory Conditions for your environment e.g. tick as a Condition for Client apps the value *Mobile apps and desktop clients*
10. Go to *Grant* in the *Access controls* pane
11. Set **Require app protection policy**<br>

    ![](https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FINkfqHDVHXNPxR0Di0ZR%2Fimage.png?alt=media\&token=ff715655-aafd-4394-b1be-ca3a4cc5e536)

    &#x20;
12. Set *Enable Policy* to **On**
13. Click on **Create**