Conditional Access - Allow Non Enrolled Devices to use Outlook Mobile App Only

Brass Contributor

I'm looking for some assistance with a couple Conditional Access policies we built to do the following:

If a user of our organization sets up email on their mobile devices native mail app using EAS (exchange active sync) or modern auth they will receive an email stating that they must either enroll their device in the company Intune portal or download and use the Outlook app.  I created two Conditional Access policies for this and all works as planned until a non-enrolled user tries to log in to the Outlook mobile app.  It prompts them that they need to install the Microsoft Authenticator app, which they do then it errors out when trying to sign in to Outlook.  Below is the screenshot error.  I confirmed it's not specifically an authenticator app error by enrolling my device and the app worked fine.   


Below is my modern auth policy which is the one that basically says your device does not need to be enrolled but you must use an approved app.  My immediate thought is that this does not work because Microsoft Authenticator is actually not on the list of 'approved apps'.  Thoughts?  Can anyone think of another way to set this up or why when installing the Outlook mobile app on our non enrolled mobile apps it requires the authenticator app in the first place?




Error Message after attempting to sign into Outlook app with authenticator appError Message after attempting to sign into Outlook app with authenticator app

6 Replies

Hey, i have almost the same setup and that was working fine untill yesterday. Now my new user is receiving the same error message in Outlook on authorization steps.

Interesting I stumbled across this in my test lab. I solved it there in the following way (reconstruction from my memories). Instead of clicking on the existing account (displayed via email address) in Mobile Outlook I choose "other account" (Office 365) and typed in the same email address (same account), basically I re-created the same login. Suddenly then it was going through. So maybe something bad with the existing account handling. I got this problem after a password reset. Can you verify if this helps in your environment too?






This is something I am trying to set up. Could you provide the details on the two compliance conditions I need to create to stop users accessing the native app. I have configured the approved apps but need to stop the native mail apps from working.





In CA policy you just need to require both device to be compliant and to use approved client




Thanks for the reply. I haven't selected the device option.


Do I also have to ensure that the MS authenticator app is installed and configured on each device even though we aren't at this stage rolling out 2FA. 



Not sure how it will be working without MFA. In our case outlook client is asking to have Authenticator app configured.