![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 8%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
hi Gents, so Eunice hi, as correct said Rukmini yeah this is expected.
Conditional Access targets the resource/API being accessed, not really the public client/mobile app itself. A public client often wont show as something u can include/exclude in “Cloud apps”, because it is the app requesting the token, not the protected resource. To enforce MFA, create a CA policy targeting the backend/API enterprise app or “All cloud apps”, then scope users/groups and client app = mobile apps and desktop clients. To exclude it from app protection requirement, exclude the resource app/API that receives the token, not the mobile client. If this is a custom mobile app, make sure the backend API has an enterprise application/service principal in the tenant, then target that. For Intune app protection, the app itself must support MAM/APP; if it doesnt, CA “Require app protection policy” will block it and u cant fix that with Azure AI style permissions. Other words client is not the thing CA protects, target the API/resource behind it
rgds, Alex
&
if my answer helps pls accept it.