Hi there, implemented this into our environment and testing the feature among the IT team. Having a similar issue as Tom-irp except we are testing devices not joined to InTune's access. We'd like to implement the token protection policy, but still allow users signing in from non AAD joined/InTune enrolled devices to log into their M365 apps, as there are still some users in our org here and there using devices not joined to InTune.
I spun up a VM and tested the functionality, and while I can log on fine in the browser, I get rejected and am told to enroll the device when logging in via an app (Outlook, Teams, Word, etc).
We don't want to block access for some users that may be using devices not joined to our AD, but we still would like to implement this policy organization-wide. Is this expected behaviour or is this a public preview thing that will get resolved with time?
I understand that the token protection policy uses the identity of the AAD joined device to prevent sign ins from any other device not matching the identity of that device. Does that limit access to only AAD joined devices and blocks non AAD joined devices outright?
Thanks in advance!