Month ago, user reported issue that , user could not able to access Microsoft Planner application (MAM) from their mobile device. Users are able to access applications like outlook ,onedrive,Microsoft Teams,word,excel etc but not Microsoft Planner.
Below is the error user get ,when they try to access planner from mobile device.
You can’t get there from here . It looks like you are trying to open this resource with app that hasn't been approved y your IT department.ask them for a list of approved applications.
The above clearly says ,microsoft planner is not approved app and this message is coming from conditional access.
I went to Microsoft Azure portal ,Azure Active Directory ,conditional access ,verified that ,the conditional access policy that is created and applied to users with client approved apps selected for iOS,android devices correctly.
Few months ago ,Microsoft added new access control in Azure AD conditional access (replacement for App based conditional access that is in Intune app protection policies) called ‘Require approved client app’
New App based conditional access block O365 service access to apps that are not protected by Intune SDK.This allow us to block users accessing emails from unapproved (non intune SDK ) apps like native email app or any other unapproved app to access
We can use this to restrict access to o365 services ,exchange online and SharePoint online from these protected applications that have intune SDK. With this ,only Intune SDK enabled apps will be allowed to access.
For more information about client approved apps ,refer https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference#approved-client-app-requirement
Even though we granted the access to client approved apps in in Conditional access ,user still still get the above error. After some time, identified that ,there is app-based conditional access policies set up and added users into restricted groups.
Below is what am referring to exchange online- allowed apps (App based conditional access policy available in Microsoft Intune). Microsoft Planner is not in the intune supported application here but is available in Azure AD CA.
After removing the user group from this Exchange online restricted user groups,users are able to access Microsoft Planner.
Access control ‘Require approved client app’ in Azure AD conditional access is replacement for Intune app based conditional access and you no longer need to use App based CA.
Remove the restricted users groups that is configured in app-based conditional access in intune app protection blade to fix the issue.