What do I have to consider when configuring Conditional Access and App Protection Policies?

In ahead, we access documents and sites from SharePoint on behalf of the user via Microsoft Graph. The required permissions are requested as soon as the user uses such a feature. Thus, the Conditional Access Policies for M365 also have an impact on ahead.

The ahead mobile app uses the default browser for login. Therefore, App Protection Policies defined for the default browser also affect the ahead mobile app.

With this setting, access is only possible with an official app from Microsoft. Exceptions cannot be defined. Therefore, the setting cannot be used. If the setting is enabled for M365 anyway, it is not possible to view SharePoint documents and sites via ahead.

This option specifies that only apps protected by an App Protection Policy are allowed to access ahead. The ahead app is not protected by an App Protection Policy and therefore the setting cannot be used. If the setting is enabled for M365 anyway, it is not possible to view SharePoint documents and sites via ahead.

Data protection

The configuration of the data protection defines among other things how a protected app is allowed to communicate with other apps. During login, it is necessary that the default browser is allowed to exchange data with the ahead app. Since the ahead app is not protected, the "Send org data to other apps" setting must be set to "All apps". The other option is to set "Policy managed apps" and define an exception for the ahead app under "Select apps to exempt". The ID of the ahead app is com.aheadintranet and must be entered as value.

In addition, the option "All Apps" must be selected for "Receive data from other apps". This is the default.