No conditional access policy should require an approved client app.

Why This Matter

Requiring an approved client app in a Conditional Access policy can increase security risks by limiting user flexibility and potentially locking out legitimate devices or users who rely on non-approved applications. This misconfiguration may cause unintended access denials, disrupt productivity, or create security gaps if exceptions are poorly managed. Administrators should review such policies to ensure they align with organizational security posture without overrestricting access.

What Aether365 Checks

This check scans all Conditional Access policies in your Microsoft 365 tenant to identify any that require an approved client app. It appears in the Aether365 dashboard under the microsoft-365 service category.

Microsoft references

• Migrate approved client app