NAA Incompatibility with Require Approved Client App Grant Conditional Access Policy #5315
Assignees
Labels
Area: authentication
Issue related to authentication
Needs: author feedback
Waiting for author (creator) of Issue to provide more info
Status: no recent activity
Issue or PR is stale (no recent activity)
Comments
microsoft-github-policy-service
bot
added
the
Needs: triage 🔍
slabereemsft
added
Area: authentication
|
Hi @AzGuineaPig, Sorry for the slow response on this. NAA doesn't support the approved client app policy as it will be retired March 2026. Admins should move to the application protection policy grant. Full details on how to do this are documented in Migrate approved client app to application protection policy in Conditional Access. Cheers, |
davidchesnut
added
Needs: author feedback
microsoft-github-policy-service
bot
added
the
Status: no recent activity
|
This issue has been automatically marked as stale because it is marked as needing author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for your interest in Office Add-ins! |
|
This issue has been closed due to inactivity. Please comment if you still need assistance and we'll re-open the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have an Office add-in for Outlook mobile that utilizes NAA via msal-browser and createNestablePublicClientApplication on iOS and Android devices. However, when attempting to fetch a token, we encounter the error message “You can’t get there from here” with the sign-in error code 530021. This error indicates that the application does not meet the conditional access approved app requirements.
This failure is triggered by a Conditional Access policy with the following settings:
Users: All users
Target Resources: Office 365 Exchange Online (00000002-0000-0ff1-ce00-000000000000)
Conditions:
Device Platforms: iOS and Android
Client Apps: Mobile apps and desktop clients
Grant :
Grant Access : Require approved client app
When requesting a token with a mail scope on a mobile device, the error occurs. If the token does not include a mail scope, it works fine, likely because it does not target the Exchange Online resource specified in the policy.
Attempts to add an exception to the Conditional Access policy for our app registration have been unsuccessful. It seems that the exception applies to applications accessing the app registration resource, not to the app registration requesting a token.
Is there any way to resolve this issue or change the token request method? The MSAL documentation does not provide a solution. If this issue persists, Office Add-ins using NAA (replacing EWS/REST) may not be able to comply with the “Require approved client app” policy, causing compliance issues for customers who restrict access to Exchange Online resources to approved client apps. Although the add-in is launched from an approved client app (Outlook), it is treated as a separate app.
The text was updated successfully, but these errors were encountered: