MT.1072 - Conditional access policies should not use the deprecated Approved Client App grant.
Overviewβ
Checks if the tenant has no conditional access policy that requires an approved client app.
The approved client app grant is retiring in early March 2026. Organizations must transition all current Conditional Access policies that use only the Require Approved Client App grant control to Require Approved Client App or Application Protection Policy by March 2026. Additionally, for any new Conditional Access policy, only apply the Require application protection policy grant.
After March 2026, Microsoft will stop enforcing require approved client app control, and it will be as if this grant isn't selected. Use the following steps before March 2026 to protect your organizationβs data.
Learn moreβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1072 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaApprovedClientApp |
| Tags | CA, Maester, MT.1072 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaApprovedClientApp.ps1