Require approved client app incorrectly implies 'Microsoft Authenticator' can be used as a broker app on Android

[Borgquite]

According to this page, under 'Require approved client app':

The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices.

And later:

Requires a broker app to register the device. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices.

However under 'Require app protection policy' we are told that on iOS, the broker app is Microsoft Authenticator, and on Android, the broker app is Intune Company Portal. This is in line with user testing, and the Microsoft support case [Case #:32525687] as described here: https://techcommunity.microsoft.com/t5/microsoft-intune/why-different-broker-apps-for-ios-and-android-not-enrolled-when/m-p/3614640/highlight/true#M11896

Please update this page to reflect that Microsoft Company Portal is the only supported broker app on Android.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: bd934939-4dbb-3a92-f996-56b9557f49ac
• Version Independent ID: 3cda6b81-26e8-c9ac-e768-d912636a461b
• Content: Grant controls in Conditional Access policy - Azure Active Directory - Microsoft Entra
• Content Source: articles/active-directory/conditional-access/concept-conditional-access-grant.md
• Service: active-directory
• Sub-service: conditional-access
• GitHub Login: @MicrosoftGuyJFlo
• Microsoft Alias: joflore

[YashikaTyagii]

@Borgquite
Thanks for your feedback! We will investigate and update as appropriate.

[Borgquite]

@YashikaTyagii Please ignore this feedback. I have found the cause of the confusion:

• The 'Require approved client app' Conditional Access policy requires a broker app to perform device registration.
• The 'Require app protection policy' and the general Intune App Protection Policy feature on Android require app protection functionality built into the Company Portal app.

In my testing, it seems that the 'Require approved client app' setting on itself can work on an Android device with Microsoft Authenticator installed. However the 'Require app protection policy' setting does in fact require the Company Portal app. This is slightly confusing since often the 'Require approved client app' setting (which can use Microsoft Authenticator or Company Portal) is setup along with app protection policies (which can only use Company Portal). But the current text in the article is actually correct, once you realise that a 'broker app' is not the same as 'app protection functionality'.

Thanks for considering this - it appears the article is correct as it stands. Perhaps the 'Require app protection policy' section could be clearer:

'The broker app can be Microsoft Authenticator for iOS. On Android the broker app must additionally support app protection functionality, so the only supported broker app for this policy is Microsoft Company Portal for Android devices.'

https://learn.microsoft.com/en-gb/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy#company-portal-app-and-intune-app-protection

[YashikaTyagii]

@Borgquite
We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.