Add Microsoft Authenticator to Approved Client App
Currently the "Require approved client app" list of apps does not include the Microsoft Authenticator app, thus preventing adoption of cool features such as 'passwordless sign-in' which is apparently signing in as the user and therefore getting blocked.
This is a problem we’re aware of and working on how best to address this use case.
Salgado, Jason commented
This is impacting our LOB apps that use Authenticator as the broker. We are not going to remove our CA policies that protect us. This needs to be fixed asap!
Brandon Fox commented
This must be one epic plan! 2 years in the making!
What's the status of this? This one piece is blocking us from rolling out Intune to thousands of users.
Rich Lusk commented
Please provide an update. Is this still an issue?
Brogan, Steve commented
Any update on this from the AAD Team?
Will U commented
This is a huge issue for us as well and is currently preventing us from adopting Azure AD Passwordless sign-in on a larger scale.
If the team doesn't want to make Authenticator an approved client app, allowing specific apps to be exempted from the grant action in the conditional access policy, would work as well.
Chen, Chris, ITD commented
looks like we are seeing this as a roadblock with our testing.
Martin Lapos commented
Authenticator is still missing in the list of approved client apps and passwordless sign-in is still failing on the CA policy, if we require approved client app.
Any update from the Azure AD Team?
Nick Donovan commented
I don't know if I'm also having a similar issue. Currently we are trying to build a LOB application for iOS. I am using MS Authenticator to handle to brokering of the authentication for my LOB app to Azure. We would like to use this app on both MDM and MAM-WE devices. We have the two options ticked in our conditional access policy which grant access: 'Require device to be marked as compliant' or 'Require approved client app'. Either of these will grant access from our CA policy.
Obviously coming from a MAM-WE device then the device will not be compliant as it is not enrolled. However if I turn this option off then I will be presented with: "You can't get there from here. It looks like you are trying to open this resource with an app that hasn't been approved by your IT department. Ask them for a list of approved apps." This comes from the second option in my CA policy. I am receiving this message from a web view within the MS Authenticator iOS app.
If MS Authenticator gets added as an approved app will this CA policy pass and let me access my LOB app?
Been struggling to find something about this.