Forum Discussion
Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error
We are unable to log into the Dynamics 365 for Phones app. After entering the password we are required to approve in Authenticator, then the error appears.
We did have it set as a protected app in our one App Protection Policy, but we thought perhaps this app is not supported for that, so we removed it, but the result is the same. What we noticed is that in the App Protection policy the highlighted entry exists, possible this is Dynamics 365 for Phones.
Yet when we edit the policy, it is not there! Perhaps this is stuck somehow....
I need to confirm
1) Is this app supported for App Protection Policy with InTune? If so would anyone have any ideas why the error?
2) If not supported, any ideas how can we resolve the error?
I logged a ticket through the device management portal with MS but a week now with no response. Unlike Microsoft...
I see the issue now.
It’s not recommended to include all apps in the conditional access, this means any app (even other than o365 apps) will have the same issue as Dynamic because the app is not in the approved list.
I used to think the issue is from the app protection policy but now I can confirm it’s from CA. You need include Office Apps not all the cloud apps.
Check my screenshot.
Moe
17 Replies
To me, this error is coming from Conditional Access, do you have approved apps and CA policy? If yes, is the device registered to Azure AD using Broker app?
Dynamic 365 is one of the approved apps so it should work in your policy.
Moe
From MSFT docs:
Require app protection policy
In your Conditional Access policy, you can require an Intune app protection policy be present on the client app before access is available to the selected cloud apps.
In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grantMany thanks for the reply.
I had taken the app out of App Prtection policy just to try and get it working (and confirm if the issue was indeed InTune related). So now I have placed it back in there, and the same issue continues. I confirm that we are testing on devices which have both the MS Authenticator App, and also the InTune Company Portal app installed. And they both show the devices are enrolled successfully.
- Do you have other apps in the policy? Do you have the access error only in Dynamic app or other apps as well?
