MAM (mobile application management) is the broader capability in Intune for managing apps on devices. App protection policies are one component of MAM that specifically controls data protection rules within managed apps. MAM also includes app configuration policies, app deployment, and app inventory, none of which are part of APP.
- What are APP
- How they work
- Security risks
- Native limitations
- Monitoring
- FAQ
What are Intune app protection policies?
Intune app protection policies are mobile application management (MAM) rules in Microsoft Intune that control how corporate data is accessed, shared, and stored within apps. Unlike device-level MDM policies that manage the entire device, APP targets the app layer. Corporate data stays protected even on personal devices that aren't enrolled in Intune.
Microsoft Entra ID (previously Azure Active Directory, or Azure AD) handles identity verification before APP rules take effect. Once a user signs in with their work account, the app protection policy kicks in across every supported app tied to that identity.
APP is supported on three platforms: iOS/iPadOS, Android, and Windows. Supported apps include Microsoft 365 apps (Outlook, Teams, Word, Excel, PowerPoint, OneDrive, and Edge) and third-party apps integrated with the Intune App SDK or wrapped with the Intune App Wrapping Tool.
How app protection policies work
MAM-only (BYOD devices without enrollment)
APP can protect corporate data on devices that aren't enrolled in Intune. This is the MAM-only scenario, and it's the most common deployment for BYOD environments. The user installs Company Portal (Android) or Authenticator (iOS), signs in with their work account, and the app protection policy activates on every managed app.
No device-level control is applied here. IT can't wipe the device, enforce encryption at the OS level, or block jailbroken devices through MAM-only policies. Only app-level restrictions apply, so corporate data stays contained within the managed app boundary.
MAM with MDM (enrolled devices)
On organization-owned devices enrolled in Intune, APP layers on top of MDM device management. This combination gives you both app-level and device-level protection. You can require device compliance (the device must meet security baselines you define) and block access from jailbroken or rooted devices.
APP and MDM together close gaps that neither approach covers alone. MDM enforces OS-level encryption and device PIN requirements. APP enforces data boundaries within individual apps.
Data protection controls
| Control | What it does |
|---|---|
| App-level PIN or biometric | Requires a PIN, fingerprint, or face ID before opening a managed app |
| Data encryption | Encrypts corporate data at rest within managed apps |
| Cut/copy/paste restrictions | Blocks or limits pasting corporate data into unmanaged apps |
| Save-as restrictions | Prevents saving corporate files to personal storage locations |
| Selective wipe | Removes only corporate data from managed apps without touching personal data |
| Minimum OS version | Blocks access if the device OS is below a defined version |
| Jailbreak/root detection | Blocks access from compromised devices |
Conditional Access and app protection policies
This integration requires a Microsoft Entra ID P1 or P2 license. Conditional Access evaluates the sign-in request, checks whether the app has an approved protection policy, and either grants or blocks access based on the result.
Multi-identity support
Managed apps that support multi-identity can distinguish between a corporate account and a personal account within the same app. APP rules apply only to the corporate identity.
If a user has both a personal and a work account in Outlook, the protection policy governs only the work account's data. Personal email stays untouched.
Security risks of unprotected app data
Corporate data that moves through unmanaged apps is hard to track and nearly impossible to recover. Without app protection policies, the same problems keep showing up.
Data leakage through unmanaged apps. When no APP is in place, a user can copy text from a corporate email and paste it into a personal messaging app, save a confidential attachment to a personal cloud storage account, or forward it to a personal email address. Once that happens, the data is gone. You can't claw it back.
Shadow IT on BYOD devices. Employees routinely use unapproved apps to access corporate data when nothing stops them. Someone opens a corporate SharePoint link in an unmanaged browser, downloads the file, and edits it in an app with no data protection controls. Without Intune admin center auditing, you have no visibility into any of this.
Compromised devices. Jailbroken or rooted devices bypass OS-level security controls. Apps on these devices can be intercepted by malware or accessed by unauthorized processes. Without jailbreak detection in an APP, corporate data stored in any app on that device is exposed.
Stale or orphaned policies. When someone changes roles or leaves the organization, their app protection policy assignment may not get updated right away. That gap can leave excessive access in place, letting a former employee's device keep corporate data in managed apps long after their role ended.
ADAudit Plus tracks Intune app protection policy creation and device compliance policy changes, so you can see when policies are added or modified and by whom.
Limitations of native Intune monitoring for app protection policies
The Intune admin center provides audit logs for policy changes, but several gaps limit its usefulness for ongoing security monitoring.
Audit logs in the Intune admin center keep detailed data for a limited period. After that window, you lose granular event-level detail unless you export logs to an external solution. For organizations with compliance obligations that require years of log retention (think SOX or HIPAA), that's a real problem.
There's no built-in real-time alerting for app protection policy changes or compliance violations. If an administrator creates, modifies, or deletes an APP, you won't get a notification unless you happen to be watching the audit log at that moment.
The native console also doesn't support scheduled report delivery for APP-related events. You can't set up a weekly email summary of all policy changes and send it to a security team or compliance officer.
Then there's the correlation problem. Intune logs, Microsoft Entra ID sign-in logs, and on-premises AD logs live in separate consoles. If you need to figure out whether a policy change lined up with a suspicious sign-in or an AD permission change, you're opening multiple tools, aligning timestamps, and piecing things together yourself.
It's tedious, and things get missed.
Monitoring Intune app protection policies with ADAudit Plus
What ADAudit Plus monitors in Intune
ADAudit Plus includes Intune reports under Cloud Directory > Intune Reports. Here's what each report covers:
The Create App Protection Policies report tracks when new app protection policies are created, who created them, and when. The Device Compliance Policies report tracks compliance policy changes that pair with APP enforcement.
The Intune Device Actions report tracks remote actions (wipe, retire, lock, restart) on managed devices. The Intune Device Enrollment report tracks device enrollment events.
All Intune reports sit alongside Microsoft Entra ID sign-in monitoring, risk detection, and on-premises Active Directory auditing in a single console. You don't need to switch between the Intune admin center, the Entra ID portal, and Event Viewer to correlate events.
Native Intune monitoring vs. ADAudit Plus
| Capability | Native Intune admin center | ADAudit Plus |
|---|---|---|
| APP creation and change logging | Yes, limited retention | Yes, with long-term archival |
| Real-time alerts on policy changes | No | Yes, via alert profiles with email and SMS |
| Scheduled report delivery | No | Yes, daily/weekly/monthly to any recipient |
| Correlation with Entra ID sign-ins | Manual cross-referencing | Single console with correlated view |
| Correlation with on-premises AD changes | Not available | Yes, hybrid AD + Entra ID + Intune in one view |
| Device compliance policy change tracking | Yes | Yes, with who/what/when detail |
| User behavior analytics for anomalous admin activity | No | Yes, detects unusual volume or timing of admin actions |
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
FAQ
Yes. APP works in MAM-only mode on unenrolled (BYOD) devices. Users sign in with their work account, and APP rules activate on supported apps without requiring device enrollment.
Depending on the policy configuration, the user may be warned, blocked from accessing corporate data, or have corporate data selectively wiped from the app. If paired with Conditional Access, the device may also lose access to Microsoft 365 resources until the violation is resolved.
Yes. Intune supports APP for Windows devices, though the feature set is more limited than iOS and Android. Windows APP primarily protects data in Microsoft Edge and Microsoft 365 apps.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
