Forum Discussion
App Protection iOS & Android - the operation couldn't be completed (MSALErrorDomain error -50000)
Hi All! I have a strange behavior. The current setup is: We are using iOS and Android devices with conditional access policies and application protection policies. The conditional access pol...
Just wondering, but what happens when (if thats possible) they first open Microsoft outlook to check if that's working and if so open teams...
Could you also show us the CA config in wich you enforce app protection ?
And maybe a stupid thought... but are terms of use configured ?
Unfortunately we the migration to Exchange Online is pendent. 🙂
The CA looks like this:
Assignments:
All Users
Office 365 Apps
Device Plattforms: Android, iOS
Client Apps: Browser, Mobile apps and desktop clients
All device state
Access Controls:
Require MFA
Sign-in frequency: 30 days
-----------------
Terms of use is configured, but is not required for the mobile device conditional access policy.
The CA looks like this:
Assignments:
All Users
Office 365 Apps
Device Plattforms: Android, iOS
Client Apps: Browser, Mobile apps and desktop clients
All device state
Access Controls:
Require MFA
Sign-in frequency: 30 days
-----------------
Terms of use is configured, but is not required for the mobile device conditional access policy.
- I am assuming al these users alrady have mfa :P.
Thats the only policy ? and the app protection ca policy?Sure, they do have MFA. 🙂
The app protection policy is this: (the new one, the older one had a pin length of 4 digits and enabled third party keyboards.
Apps
Target to apps on all device typesNoDevice typesUnmanagedPublic appsMicrosoft InvoicingMicrosoft KaizalaMicrosoft Power AppsMicrosoft EdgeMicrosoft 365 AdminMicrosoft ExcelMicrosoft OutlookMicrosoft PowerPointMicrosoft WordMicrosoft BookingsMicrosoft OfficeMicrosoft OneNoteMicrosoft PlannerMicrosoft Power BIMicrosoft SharePointMicrosoft StaffHubMicrosoft OneDriveMicrosoft TeamsMicrosoft ListsMicrosoft StreamMicrosoft To-DoMicrosoft Visio ViewerMicrosoft WhiteboardCustom apps--Data protection
Prevent backupsBlockSend org data to other appsPolicy managed appsSave copies of org dataBlockAllow user to save copies to selected servicesOneDrive for BusinessSharePointTransfer telecommunication data toAny dialer appDialer App URL Scheme--Receive data from other appsAll AppsOpen data into Org documentsAllowAllow users to open data from selected servicesOneDrive for BusinessSharePointCameraRestrict cut, copy, and paste between other appsAny appCut and copy character limit for any app0Third party keyboardsBlockEncrypt org dataRequireSync policy managed app data with native apps or add-insAllowPrinting org dataAllowRestrict web content transfer with other appsAny appUnmanaged browser protocol--Org data notificationsAllowAccess requirements
PIN for accessRequirePIN typeNumericSimple PINAllowSelect minimum PIN length6Touch ID instead of PIN for access (iOS 8+/iPadOS)AllowOverride biometrics with PIN after timeoutNot requiredTimeout (minutes of inactivity)0Face ID instead of PIN for access (iOS 11+/iPadOS)AllowPIN reset after number of daysNoNumber of days0App PIN when device PIN is setRequireWork or school account credentials for accessNot requiredRecheck the access requirements after (minutes of inactivity)10Conditional launch
Max PIN attempts5Reset PINOffline grace period720Block access (minutes)Offline grace period90Wipe data (days)Jailbroken/rooted devicesBlock accessMin OS version14.0Block accessMin OS version13.0Wipe data- WHen trying to connect, could you share the sign in event from the sign in log? so we can rule out any existing ca's blocking the login.
What happens when you exclude 1 user (to test with) from this app protection policy? (delete the app first to be sure no app protection policy is already applied to it)