I am struggling a bit with Conditional Access policies.
I am trying to create the following scenario for access from mobile phones.
If the device is marked as compliant (Intune enrolled), then accept access to Exchange Online with modern auth and EAS.
If the device is not marked as compliant, then people can use Approved Apps.
It is working really well on iOS devices. On Android not so well. Even if an Android device is enrolled and compliat, it behaves like it's not enrolled and offers the user to continue with Company Portal.