Table of Contents
Summary
- “Require approved client app” grant control will be retired in Microsoft Entra ID and Intune.
- Organizations must update Conditional Access policies to use “Require application protection policy” grant control instead.
- This change will affect any existing Conditional Access policies using the retired control.
- Users will no longer have the ability to enforce the retired control after it is removed.
- Administrators should prepare for this change to avoid disruptions in service.
Admin Impact: High
User Impact: Low
Release Start: 01 Jun 2026
Release End: 01 Jun 2026
Services: Intune
Category: Plan for change
Tags: Admin Action, Retirement
History
1/22/2026 Item Added to Message Center
Microsoft Message
As mentioned in MC540749 and MC1029989, Microsoft Entra ID (formerly known as Azure Active Directory) and Microsoft Intune will retire the Conditional Access “Require approved client app” grant control in June 2026 (previously March 2026). We recommend utilizing the “Require application protection policy” grant control, which provides the same data loss and protection with additional benefits.
How this will affect your organization
If you have a Conditional Access policy with “Require approved client app” grant control configured, after this change, you will no longer be able to enforce this control, it will be as if this grant is not selected.
What you need to do to prepare
We recommend updating your Conditional Access policy to using the “Require application protection policy” grant control. For more information, see Migrate approved client app to application protection policy in Conditional Access.