Forum Discussion

preuley30's avatar
preuley30
Brass Contributor
Nov 08, 2023

Conditional access blocks, even when Smartphone is marked as compliant

Hi Everyone. I'm trying to access my Exchange Mailbox over the Gmail App on my Pixel 8 Pro. Now my Problem is that a conditional access policy is blocking the access. I've created a policy that grants access to the "Office 365 Exchange Online" Resource, if passwordless MFA is satisfied and the device is marked as compliant. At the beginning I was trying to grant access if the Gmail App is protected by an app protection policy, which didn't work because Gmail does not support app protection policies, so I turned that off.

 

So, my Smartphone is a BYOD and I've enrolled it into Intune with the "Android (personally-owned work profile)" enrollment method. A compliance policy is assigned, and Intune shows me that the device is compliant.

 

Intune deploys the Gmail App to my work profile. I've read several documentations and I also deployed Google Chrome, Google Calendar and the Bing Search App just to be sure. But it still blocks access to the resource. I also made an Email configuration profile, to auto-setup the Gmail App with my Credentials. So everytime I open the Gmail App in my Work Profile, it tries to setup the account, I get an MFA number-matching prompt from MS Authenticator and then it tells me to download the company portal app and enroll my smartphone into Intune. Strange behavior because as I mentioned above, my Phone is indeed managed and marked as compliant in Intune.

 

I was going through the Sign-in Logs, and I've seen that every logged attempt claims that the device is not compliant and not even managed.

 

I feel like that I'm missing a big point. I would be thankfull if anyone has an idea to solve this ❤️

 

Thanks.

 

 

    • preuley30's avatar
      preuley30
      Brass Contributor
      Hi Rudy. Thanks so much for your contribution! That's exactly my problem.

      After turning off requiring device compliance in the CA Policy and just require MFA, I was able to connect my Exchange Mailbox with the Gmail App.

      Unfortunately, I couldn't figure out how to force using the Gmail App in the Work Profile. With this configuration, I can connect my Mailbox to the Personal Profile Gmail App as well, which isn't optimal.

      Do you have an idea on how to achieve this?

      Kind regards, Alexej.

Resources