Forum Discussion

Paul_Nadasan's avatar
Paul_Nadasan
Occasional Reader
Nov 14, 2025

Trying to setup CA rules for Mobile devices.

Hi! I'm stuck with a CA policy setup and could really use some help. What I'm trying to do: Enrolled/Compliant devices (Android/iOS): Full access to everything (all cloud apps, browser, native ap...
Conditional Access
AladinH's avatar
AladinH
Brass Contributor
Nov 14, 2025

Hi Paul_Nadasan​,

To make App Protection (MAM) work on unenrolled BYOD devices, you must exclude the following cloud apps from your Block policy: Microsoft Intune, Microsoft Intune Enrollment, and Microsoft App Access Panel. These services are required for Outlook and Teams to complete the MAM sign-in flow. If they are blocked, the apps redirect to the Intune Web Company Portal and fail with “You cannot access this right now”.

Microsoft confirms that the “Require device to be marked as compliant” control does not block Intune enrollment when used on its own, but a Block policy will block these services unless you explicitly exclude them. That’s why the exclusions are necessary in your setup.

More source:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance

https://www.ctrlshiftenter.cloud/2025/10/12/should-you-exclude-microsoft-intune-enrollment-from-your-compliance-cap-or-not/ 

Resources