The "require approved client apps" feature in conditional access is a very good security feature, but sometimes a 3:rd party app must be supported, .e.g., a room booking system for mobile devices. If the feature "require approved client apps" is enabled, there is no way to support a 3:rd party app. Please make it possible to add apps (tenant wide) to the "require approved client apps" list.

Please add Microsoft Whiteboard Client as Approved client app requirement for Conditional Access so that this is not blocking productive on IOS/Android when trying to secure SharePoint/OneDrive.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#approved-client-app-requirement

Please add the ability to customize the text that the end-user receive, when a sign in is being blocked due to corporate defined conditional access policies.

See: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17486230-allow-custom-error-messages-for-conditional-access

Expand the cloud app Session Controls area to be able to apply OWA policies on-the-fly.

Allow admins to do things like block download access unless the user is within a trusted location or on a compliant or domain joined device.

Effectively this, but without the need for ADFS: https://technet.microsoft.com/en-us/library/dn530630(v=exchg.150).aspx

Combining that with the SharePoint session controls will result in a more complete browser-only experience for unmanaged/untrusted devices.

Intune applies compliance policies to machines twice. One for the Signed in AAD user, and another for the 'System Account'. The devices in question become uncompliat due to the system account not getting logged into. When devices are marked not-compliant, and you have a conditional access policy this makes things difficult. Users will no longer be able to access company data when marked 'not-compliant'. Please have the compliance policy only apply to the signed in AAD user. Having to remote into PC's and sign into a root user just so the compliance policy hits is not good! Thanks

Allow the use of IPv6 within Conditional Access.

Extend conditional access to cover EWS for on-premise Exchange. At present we are able to protect all entry methods other than Outlook on OSX connecting via EWS

To allow us to create a blanket policy and then exclude the MyApps site from the Conditional Access Policy.

We can then allow customers to login and use the MyApps site as a launch pad to all their services whilst being very specific about what apps require additional compliance.

The potential to place a device into a quarantine before permission is granted to access any corporate resource. Many of my customers wish to use Intune and have a mobility strategy but wish to restrict access to corporate devices only.

Perhaps one way to achieve this is to make it a condition for conditional access scenarios that the device is 'corporate', which could be extended to Azure AD conditional access too. This may give the opportunity to have different access policies depending on the application or service being granted access to.

Device Compliance reporting for devices only. We user shared devices in our enviroment. Compliance policies are running for all users that sign into a device messing up our reporting. For instance, a compliance policy for minimum OS version runs for all users that sign into a device. One user sets the device non-compliant because it does not meet the requirements. Next user signs in after it updates to minimum requirements and sets the compliance only for that user. The device still shows non-compliant because of the previous user who may never login to that device again to mark it compliant.

We recently ran into the issue that our Conditional Access Policies were not applied to members of a nested Azure AD Security group that is a member of the Azure AD security group the policy is assigned to. Support confirmed this is currently "as designed". Can you please fix this so policies are applied to members of nested groups as well? Thank you!

Currently the Yammer Mobile App does not have feature support for Conditional Access with Intune or Azure AD Conditional Access to work with MAM WE.

This causes the Yammer App to be blocked when Conditional Access is configured and enabled for device targeting.

Requesting the feature support for Conditional Access to be implemented for Yammer to allow this area of support for the product.

Please also note the conversation in this thread: https://www.yammer.com/microsoft.com/#/Threads/show?threadId=800165359

Thank you.

Currently the PowerBI does not have feature support for Conditional Access with Intune or Azure AD Conditional Access.

This causes the PowerBI to be blocked when Conditional Access is configured and enabled for device targeting.

Requesting the feature support for Conditional Access to be implemented for PowerBI to allow this area of support for the product.

Add Support to Block Access to SharePoint Online via browser while access is managed by InTune conditional access policies.

Now that we have more Conditional Access options, like controlling OWA in Office365 the next step in this evolution would be to only allow Corporate owned devices to enroll. Making it possible to only enroll pre-registered devices. This would unblock a lot of customers with that exact requirement.