Oct 02 2019
12:08 AM
- last edited on
Jan 14 2022
04:37 PM
by
TechCommunityAP
Oct 02 2019
12:08 AM
- last edited on
Jan 14 2022
04:37 PM
by
TechCommunityAP
I am struggling a bit with Conditional Access policies.
I am trying to create the following scenario for access from mobile phones.
If the device is marked as compliant (Intune enrolled), then accept access to Exchange Online with modern auth and EAS.
If the device is not marked as compliant, then people can use Approved Apps.
It is working really well on iOS devices. On Android not so well. Even if an Android device is enrolled and compliat, it behaves like it's not enrolled and offers the user to continue with Company Portal.
Should it not be possible?
Oct 02 2019 02:38 AM
did you try to access via EAS from work profile? If yes: Can you provide information about your CA policies?
Oct 02 2019 06:22 AM
Mar 03 2020 03:38 PM
@Thijs LecomteI would like to resurrect this topic, as we are also having this issue with enabling enrolled android devices with native/manufacturer developed email clients.
From the Conditional Access (CA) logs, the android devices did not report back to AAD/CA its compliance status. Its simply blank. See below for screenshot.
Seems like I can only ID the device by OS, not its state. Not sure if this is a limitation on the Android side since iOS is reporting all info to CA.
Mar 03 2020 11:17 PM
Mar 04 2020 06:12 AM
@Thijs Lecomte We are using android work profile, they are all personal owned devices.
I am pulling hairs out trying to figure this out.
Mar 12 2020 07:43 AM
Mar 12 2020 07:52 AM
@Thijs Lecomte They are showing up as compliant under Intune. I have about 20 Androids now that we have started the MDM enrollment last month.
I have a ticket open with Microsoft and its in the process of being escalated. At this moment I cannot do a Conditional Access Policy based on device compliance. I have a policy that will require MFA for non-managed devices connecting to cloud apps (Workday), and it simply not working for Android.
The support person was sort of arguing with me because I put the ticket in about android vendor specific email app (Samsung email on a Galaxy s9) not working in the same logic.
Thanks for all your help.
Mar 13 2020 11:06 AM
Mar 13 2020 12:47 PM
@Thijs Lecomte It doesnt seem to be working with the Outlook mobile app either. When I modify a CA rule to require complaint devices AND approved app, Outlook app will keep asking to enroll the device.
Also I dont think its a samsung issue either, because the non-reporting of compliant status is happening to all android devices, regardless of the brands, even though most of the android devices enrolled are Samsung.
so hypothetically, if its a samsung device, how to get this issue resolved?
Thank you so much
Mar 17 2020 11:27 AM