What is the Microsoft 365 app protection policy?

Microsoft 365 app protection policies are rules that ensure an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it and can be managed by Intune, which is part of the Microsoft 365 Business premium edition.

How does Microsoft 365 app protection protect the app data?

An Organization employee uses mobile devices for both personal and work tasks. While making sure your employees can be productive, as an Administrator, you want to prevent data loss, intentional and unintentional. Also, it is important to protect company data that is accessed from devices that are not managed by the IT department. This Microsoft 365 app protection policy helps you protect your company’s data with or without enrolling devices in a device management solution. By implementing app-level policies, an administrator can restrict access to company resources and keep data within the purview of the IT department.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

In this blog, we are providing the steps that are involved in creating an app protection policy in Microsoft 365 admin center. This can be done through Microsoft 365 admin center → Setup Menu. Under device management, you can see the configuration setup for “Protect data in mobile apps” and you can see the status as “Not started yet “. Thus you are good to go to start the configuration. The below picture shows these details in red boxes.

protection-policy-for-mobile-devices-in-microsoft365

On clicking the link ( inside the Redbox ) “ Protect data in mobile apps” you will be redirected to a new wizard shown in the below screenshot, and select the “Get started” button

Download Banner

protection-policy-for-mobile-devices-in-microsoft365

User impact & Application impact on applying the app protection policy

After creating an app protection policy, the next time an assigned user opens one of the affected apps on a mobile device, the app will restart, notify them that it’s now being managed by a policy, and ask them to set up a PIN to access it. ‎Android‎ users will be asked to install the ‎Company Portal‎ app on their mobile devices.

As an administrator, when you set up an app protection policy, you will be asked to choose a security group and work apps where the protection policy is applied to. Administrators can choose to apply the policies to apps such as ‎Microsoft‎ ‎Office‎, ‎OneDrive‎, ‎Skype‎, and ‎Teams‎. Policies are applied only when apps are used in a work context on a mobile device. For example, when a user signs in to an app with a work account or opens files that are stored in your org’s ‎OneDrive‎ for business.

Creating an app protection policy in Microsoft 365 admin center

In the following steps, we are providing the details of Android and iOS mobile device settings to define the policy to protect your organization’s data by controlling how it’s accessed, shared, and encrypted in mobile Office apps, even when a personal mobile device is lost or stolen.

In this step, we are configuring two settings for Android and iOS devices, namely :

  • Protect your organization’s data when mobile devices are lost or stolen
  • Manage how users access Office files on their mobile devices

And determine who should use the policy you are creating. Either you can choose everyone in the Organisation or you can choose the users using creating a security group (its members ) in the Azure AD.

protection-policy-for-mobile-devices-in-microsoft365

Android and iOS settings

Protect your organization’s data when mobile devices are lost or stolen – Protect your organization’s files by deleting them from inactive devices, requiring users to save files to OneDrive, and encrypting files

Delete files after the device has been inactive for this number of days – Administrator has to mention the number of days in the box to retain the files for the X days in the device, thereafter the files will be deleted from the mobile device and the files are saved in the OneDrive only. By default, 90 days are given to the user to make the file to delete from the device.

Here, the administrator has to enable the check box “Require users to save the files in OneDrive” and the check box “Encrypt your organization files” as shown in the picture below.

protection-policy-for-mobile-devices-in-microsoft365

Manage how users access Office files on their mobile devices – This setting controls how users access the organization’s files by requiring a PIN to access Office apps, restricting users from opening files on jailbroken or rooted devices, and not allowing users to copy content from Office apps into personal apps.

Here you can enable the checkbox “Require a PIN to access Office apps” and you can specify the number of failed attempts to reset the user’s pin. The administrator should mention the number in the box, by default it is 5. Ie after the 5th attempt of a failed log-in, the user’s PIN should be changed.

Also, the administrator should provide the number of minutes of inactivity to make users sign in. By default 30 min inactivity will be given, and after the 30th minute, the user should log in again to use the resources.

Also, you can enable the checkbox “ Deny access to your organization files on jailbroken or rooted device” and the checkbox “Don’t allow users to copy content from Office apps to personal apps”

protection-policy-for-mobile-devices-in-microsoft365

Who should this policy apply to?

By default, everyone in the organization is selected or can choose the “All Users” security group. If you want to specify for particular users, create a security group and make specific users as members of the group, and mention that security group in the specified box as shown below.

protection-policy-for-mobile-devices-in-microsoft365

Click Create a policy to finish the work, you will get a processing prompt for a while and you will get the message “Data is now protected in mobile apps” and you will find the notification ”The next time a user opens one of the protected apps on a mobile device, the app will restart and notify them that their device is now managed by a policy. They will need to set up a PIN to access it”

The below screenshot shows this confirmation.

protection-policy-for-mobile-devices-in-microsoft365

Now you can verify with the user’s Android or iOS devices for generating PIN for each device.

Conclusion :

There are several benefits when you set up an app protection policy for your users. It is protecting your company data at the app level. As an administrator, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. Similarly, the policies are applied only in a work context, which gives you the ability to protect company data without touching personal data. App protection policies make sure that the app-layer protections are in place. For example, you require a PIN to open an app in a work context, control the sharing of data between apps and prevent the saving of company app data to a personal storage location

Try our 30-day free trial!

Protect your Microsoft 365 data with BDRSuite!

Download the full-featured 30-day free trial of our latest version BDRSuite v5.1 and experience modern data protection for your Microsoft 365 environment.

Learn about BDRSuite Backup for Microsoft 365.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post