Forum Discussion

Henrik Skovgaard's avatar
Henrik Skovgaard
Copper Contributor
Oct 02, 2019

Conditional Access with Android phones

I am struggling a bit with Conditional Access policies.

I am trying to create the following scenario for access from mobile phones.

 

If the device is marked as compliant (Intune enrolled), then accept access to Exchange Online with modern auth and EAS.

If the device is not marked as compliant, then people can use Approved Apps.

 

It is working really well on iOS devices. On Android not so well. Even if an Android device is enrolled and compliat, it behaves like it's not enrolled and offers the user to continue with Company Portal.

 

Should it not be possible?

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Could you share your CA policies? Are you using 1 policy or multiple policy?
    Have you checked the sign-in logs of Azure AD to check which policies are being assigned?

    We need some more info before we can help you out ๐Ÿ™‚
    • stevenpsiu's avatar
      stevenpsiu
      Copper Contributor

      Thijs LecomteI would like to resurrect this topic, as we are also having this issue with enabling enrolled android devices with native/manufacturer developed email clients.

       

      From the Conditional Access (CA) logs, the android devices did not report back to AAD/CA its compliance status. Its simply blank. See below for screenshot.

       

      Seems like I can only ID the device by OS, not its state. Not sure if this is a limitation on the Android side since iOS is reporting all info to CA.