Forum Discussion

Paul_Nadasan's avatar
Paul_Nadasan
Occasional Reader
Nov 14, 2025

Trying to setup CA rules for Mobile devices.

Hi!
I'm stuck with a CA policy setup and could really use some help.

What I'm trying to do:

  • Enrolled/Compliant devices (Android/iOS): Full access to everything (all cloud apps, browser, native apps - no restrictions)
  • Unenrolled BYOD devices (Android/iOS): Can ONLY access Teams and Outlook through APP-protected mobile apps (no web access, no other Microsoft services, the app protection policies are already setup)

My Current CA Policy Setup:

Policy 1: Enrolled Devices - Full Access

  • Target resources: All cloud apps
  • Users: My test user
  • Conditions:
    • Device platforms: Android, iOS
    • Client apps: Browser + Mobile apps and desktop clients (both checked)
  • Grant: Require device to be marked as compliant

Policy 2: BYOD - Block Everything Except Teams/Outlook

  • Target resources: All cloud apps
    • Exclude: Office 365 Exchange Online, Microsoft Teams Services, Microsoft Outlook
  • Users: My Test user
  • Conditions:
    • Device platforms: Android, iOS
    • Filter for devices: device.isCompliant -ne True
  • Grant: Block access

Policy 3: BYOD - Allow APP-Protected Teams/Outlook Only

  • Target resources:
    • Office 365 Exchange Online
    • Microsoft Teams Services
    • Microsoft Outlook
  • Users: My Test user
  • Conditions:
    • Device platforms: Android, iOS
    • Client apps: Only "Mobile apps and desktop clients" checked (Browser unchecked)
    • Filter for devices: device.isCompliant -ne True
  • Grant: Require app protection policy

The Problem:

When I am logging in from a unenrolled device into the Outlook or Teams mobile app, they get redirected to a web page and see:

"You cannot access this right now"
"App Name: Microsoft Intune web company portal"

What I've Tried:

  • Adding exclusions for "Microsoft Intune Web Company Portal" (can't find it in the cloud apps list)
  • Searching for "Microsoft Mobile Application Management" (doesn't appear)
  • Searching for "Intune Company Portal" (doesn't show up either)
  • I added Microsoft Intune (which I finally found

What I think happens:

The issue is that APP enrollment requires accessing the Intune Web Company Portal during authentication, but Policy 2 is blocking it. I need to exclude this service from the blocking policy, but I can't find the right app to exclude.

Questions:

  1. What's the correct cloud app name/ID I need to exclude to allow APP enrollment to work?
  2. Is there a better way to structure these policies to avoid this issue?

Any help would be greatly appreciated!

Conditional Access

1 Reply

  • AladinH's avatar
    AladinH
    Brass Contributor
    Nov 14, 2025

    Hi Paul_Nadasan​,

    To make App Protection (MAM) work on unenrolled BYOD devices, you must exclude the following cloud apps from your Block policy: Microsoft Intune, Microsoft Intune Enrollment, and Microsoft App Access Panel. These services are required for Outlook and Teams to complete the MAM sign-in flow. If they are blocked, the apps redirect to the Intune Web Company Portal and fail with “You cannot access this right now”.

    Microsoft confirms that the “Require device to be marked as compliant” control does not block Intune enrollment when used on its own, but a Block policy will block these services unless you explicitly exclude them. That’s why the exclusions are necessary in your setup.

    More source:

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance

    https://www.ctrlshiftenter.cloud/2025/10/12/should-you-exclude-microsoft-intune-enrollment-from-your-compliance-cap-or-not/ 

Resources