Update: A fix for this issue has been rolled out with the latest release of macOS 10.15.5.
We were recently alerted to a scenario whereby after an end user updated to macOS 10.15.4, they experienced unexpected access app prompts or blocks to applications such as native mail. The macOS device was enrolled in Intune and there was a conditional access policy requiring a compliant device. Working with Apple, we discovered that upgrading to macOS 10.15.4 exposed a bug in auth for several apps including mail and calendar (despite existing enrollment or compliance). Microsoft and Apple are working on a resolution and we’ll update this post when new information is available.
In the interim, if you use conditional access on macOS, be aware that not all apps will be available after updating to macOS 10.15.4. As an admin, if you're wondering if your end users have run into this known issue, you can tell by validating that 1) you have set conditional access rules requiring a compliant device, then 2) you'll likely see conditional access failures in the Azure AD blade under sign-ins.
Again, we'll keep this post updated as we receive additional information.
Blog post updates:
5/6/20: A fix for this issue will be included in the macOS 10.15.5 Beta.
5/7/20: Clarifying that a fix is included in the macOS 10.15.5 Beta 4 release. If you continue to experience an issue after updating to this version, please let us know!
5/27/20: We received reports that this has been resolved with the latest release of macOS 10.15.5.