Reminder: “Require approved client app” control in Microsoft Entra Conditional Access will be retired in June 2026

Originally posted by Microsoft Jan 22, 2026 Uncategorized 0 Comments

The “Require approved client app” control in Microsoft Entra Conditional Access will retire in June 2026. Organizations should update policies to use the “Require application protection policy” control for equivalent and enhanced protection. After retirement, the old control will no longer be enforceable.

As mentioned in MC540749 and MC1029989, Microsoft Entra ID (formerly known as Azure Active Directory) and Microsoft Intune will retire the Conditional Access “Require approved client app” grant control in June 2026 (previously March 2026). We recommend utilizing the “Require application protection policy” grant control, which provides the same data loss and protection with additional benefits.

How this will affect your organization:

If you have a Conditional Access policy with “Require approved client app” grant control configured, after this change, you will no longer be able to enforce this control, it will be as if this grant is not selected.

What you need to do to prepare:

We recommend updating your Conditional Access policy to using the “Require application protection policy” grant control. For more information, see Migrate approved client app to application protection policy in Conditional Access.

Message ID: MC1220751

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

Trending Posts

%d bloggers like this: