Resolved - Conditional access unexpectedly blocking macOS 10.15.4 native mail client/other apps

Is this affecting all 10.15.4 builds or just the recent supplemental update?

@glennmnz It's affecting all 10.15.4 builds. 

thanks for the update 

Is there any update on this or do we need to turn off conditional access?? Meantime our users cant work as we speak

Hi @Ola B Larsson ,
 
We are currently working on this issue. Please open a case so that we may assist you.

*following*

Is there an estimated date for a fix?

Thanks for the update.

@nathannakao There is a subscribe function on the posting's drop-down menu for that.

my problems since an update, as well.

is this primarily a problem on the mac side or the microsoft side?  do i need my microsoft teams administrator to do anything?

Hi @Ola B Larsson, @ihindi, @bruceb161, in working closely with Apple, a fix for this issue will be included in an upcoming version of the macOS 10.15.5 Beta 4. If you continue to experience authentication issues after updating, please let us know! We'll also continue to keep this blog updated as we learn more.

I saw one issue on 10.15.4  CA policy not getting applied and shows the the sign in as "success" and CA as "Not applied"
Is this related or am I getting things mixed up?

Hi @Azhar1519, this sounds like it may be unrelated to this issue and have followed up with you directly for additional follow-up. Thanks for the feedback!

Could it be that this is also for iOS? 

I have configured a conditional Access policy which says that - when I try to add my mailbox to iOS native mail app, it forces me to use an approved app (= Outlook for iOS). I then get forced to "enrol in intune", but when I press on "Enroll", I get the screen "This page is not supported on your device". On top I can see that it's "portal.manage.microsoft.com". 

But then when I surf to the same page on safari, It DOES work. 

When I check my sign logs in the Azure Active Directory, I can see the following: 

Hi @michielunlimit, there may be other Conditional Access policies applied to the impacted user causing the issue. The What If tool can help validate which policies are applied and assist with remediation. Also, if you haven't already, have a look over our doc on best practices for Conditional Access on configuring the policy suited for your organization.

Once configured and you are still experiencing issues with sign-in, lets get you over to our support folks for further investigation. Please open a support request from within the Intune admin console, or any of the methods here. Once created, feel free direct message us with your support case number so we can have an eye on the case. Thanks!

@Intune_Support_Team - issue is still persisting with a user following upgrade to 10.15.5 Beta (19F83c), which according to the link https://developer.apple.com/news/releases/ should be release 4. Any suggestions?

Hi @CV-NTT, thanks for the feedback and sorry that this is still occurring within your environment. If after upgrading to the latest macOS Beta 4 and are still experiencing Conditional Access failures in the Azure Active Directory blade under sign-ins, let's get you over to our support folks over in Azure for further investigation. You can raise a new support request via the Help + support blade in the Azure portal, or any of the methods here.

I can confirm that the issue was solved with the release of macOS 10.15.5. 

Exchange integration with Intune works as expected. 

The last update of MACOS fixed it.

Thank you .

resolved for me.  thank you.

confirmed resolved for myself (and a Team Member) as well.

Hi Support,

After upgrading my client's MacBook from 10.15.4 to 10.15.5, the "Require Exchange password" pop up on MacOS Mail seems gone.

However there have another issue, that when the client moves the exchange email from her Exchange Inbox in MacOS Mail to the folder in Mail under "On My Mac", the email contents are not displaying, even double click to open.   We have discussed with Apple Support, what the senior support have mentioned is there has a new security setting on Office 365 side, which causing content to be blocked for showing in the mac. And the same reason that affects the other old emails on the local folders because there's exchange emails on the same folder.

Can you please advise which setting we can change to fix it?

Hi @werneryue1004, tagging our Exchange guru @Ross Smith IV for additional insight.

Thanks @Intune_Support_Team , I hope the team can provide more details and advise about how we can fix the issue asap.   There had MacOS Mail issue with Office 365 Exchange from 10.15.4, sadly in original issue is fixed in 10.15.5, but the mentioned new issue is happened.

On Apple side they said MS updated something on Office 365, what they said is "a security settings in o365 that blocks it's content to be shown in the mac mail server. And the same reason that affects the other old emails on the local folders because there's exchange emails on the same folder."

Our client had a local Mailbox (Folder) created in MacOS Mail very long time ago, she was using NetSol email system with POP connection before.  Few months ago we helped to migrate to Office 365.  The local Mailbox (Folder) used to keep the emails which from NetSol and also Office365. Not sure how it can define it is email from exchange but the issue start to appear after 10.15.4 MacOS update.   It will be nice if someone can let us know which security setting has been updated on Office 365 during Apple release 10.15.4 and 10.15.5 update, then we can try to enable/disable for testing.

@werneryue1004 - I've asked around and based on limited information we're not sure what the cause could be. Please open a support case with Microsoft Support so they can investigate further.