Forum Discussion
Conditional Access - Allow Non Enrolled Devices to use Outlook Mobile App Only
I'm looking for some assistance with a couple Conditional Access policies we built to do the following:
If a user of our organization sets up email on their mobile devices native mail app using EAS (exchange active sync) or modern auth they will receive an email stating that they must either enroll their device in the company Intune portal or download and use the Outlook app. I created two Conditional Access policies for this and all works as planned until a non-enrolled user tries to log in to the Outlook mobile app. It prompts them that they need to install the Microsoft Authenticator app, which they do then it errors out when trying to sign in to Outlook. Below is the screenshot error. I confirmed it's not specifically an authenticator app error by enrolling my device and the app worked fine.
Below is my modern auth policy which is the one that basically says your device does not need to be enrolled but you must use an approved app. My immediate thought is that this does not work because Microsoft Authenticator is actually not on the list of 'approved apps'. Thoughts? Can anyone think of another way to set this up or why when installing the Outlook mobile app on our non enrolled mobile apps it requires the authenticator app in the first place?
- Alexander VanyurikhinIron Contributor
Hey, i have almost the same setup and that was working fine untill yesterday. Now my new user is receiving the same error message in Outlook on authorization steps.
Interesting I stumbled across this in my test lab. I solved it there in the following way (reconstruction from my memories). Instead of clicking on the existing account (displayed via email address) in Mobile Outlook I choose "other account" (Office 365) and typed in the same email address (same account), basically I re-created the same login. Suddenly then it was going through. So maybe something bad with the existing account handling. I got this problem after a password reset. Can you verify if this helps in your environment too?
Best,
Oliver
- Alistair TriggBrass Contributor
Hi
This is something I am trying to set up. Could you provide the details on the two compliance conditions I need to create to stop users accessing the native app. I have configured the approved apps but need to stop the native mail apps from working.
Thanks
Alistair