I'm looking for some assistance with a couple Conditional Access policies we built to do the following:

If a user of our organization sets up email on their mobile devices native mail app using EAS (exchange active sync) or modern auth they will receive an email stating that they must either enroll their device in the company Intune portal or download and use the Outlook app.  I created two Conditional Access policies for this and all works as planned until a non-enrolled user tries to log in to the Outlook mobile app.  It prompts them that they need to install the Microsoft Authenticator app, which they do then it errors out when trying to sign in to Outlook.  Below is the screenshot error.  I confirmed it's not specifically an authenticator app error by enrolling my device and the app worked fine.   

Below is my modern auth policy which is the one that basically says your device does not need to be enrolled but you must use an approved app.  My immediate thought is that this does not work because Microsoft Authenticator is actually not on the list of 'approved apps'.  Thoughts?  Can anyone think of another way to set this up or why when installing the Outlook mobile app on our non enrolled mobile apps it requires the authenticator app in the first place?

Error Message after attempting to sign into Outlook app with authenticator app