thanks for your time going through my problem  @jenstf  & @Alexander Vanyurikhin 

I have created two policies 

1 Policy for Legacy and Native iOS App

1 Policy for Modern Authentication 

Both Require device to be marked as compliant  & Requires approved client app  

But I am still able to get mail to flow in once configuring manually. 

(unless while I am changing policies it may take some time before it takes affect)  

These are my policies 

Only applying to Exchange Online App 

Only applying to iOS and Android devices. 

[First is for native iOS / Legacy Auth]

1

[Second below is for Modern Auth - If setting up via outlook app this works fine and enrolls the device problem I think is the first policy above]

2

2

With the above set - I was able to manually configure mail on iOS device by adding the server: outlook.office365.com 

I have turned policies on and off for the first one so maybe it will rake some time to apply(?)

I checked Sign-Ins on Azure AD monitoring but not showing anything with signing if I configure manually  - 

@jenstf- Many thanks - this has helped clarify some things in my head

1 last question on this if that's ok:

It's also recommended to make one policy for active sync and one for other clients.

Would you essential be creating 3 for this? i.e.

Or would you always combine, say, Exchange ActiveSync + Apply policy only to supported platforms in one policy?

Adam

@Adam Weldon-Ming In my policies I don't use "Apply policy only to supported platforms". The documentation isn't clear on what that choice actually is good for. i.e. Linux isn't a supported platform and will then bypass this policy.

I have one policy with "Exchange active sync clients" and one for "other clients".

Thanks a lot @jenstf 

I've separated them out into 2 policies and this has forced my test iPhone's to get the message to enroll the phones.  Rather than blocking the e-mail entirely and I cannot configure manually any more. 

My main problem here was patience :) 

@Adam Weldon-Ming could you summarize and provide us with the final conditional access policies?

I have the same problem. I push an E-Mail profile (via the Device Configuration Profile) to the devices. However, I want the native Mail app to be blocked. 

Best regards,

Labinot

@Labinot Jashanica 

Hey, sorry for the long wait - best thing I think to do here now is to use the :

"Baseline policy: Block Legacy authentication (Preview)"

Enable this Policy - However, there are no exceptions for this so therefore it would apply to all users, global admins etc.

If you need to have it more granular you can do a couple thinfs


1 - Build a custom Conditional Access Policy that BLOCKS legacy authentication.

• Create a no CA policy - Include All apps (or ones you want)
• Under: Conditions > Client Apps > Select YES
• Select: Mobile Apps and Desktop Clients > Other (Choose Exchange ActiveSync if you want to block native mail apps.
• Then on Access Control > Grant: Select Block Access
• Save and Enable.

2 - Create a authentication policy: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

CA Is more recommended though.

@Adam Weldon-Ming 

How to enable this Baseline policy: Block Legacy authentication (Preview) ?

As

@Thijs Lecomte  Thanks, I'm also looking for the solution for  following

Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM Enrollment (via Intune) and forced to use MS Outlook 

@Thijs Lecomte 

Block it from where exactly? 

@Thijs Lecomte 

Yup was able to do it via Conditional Access already. Had issues mainly with my patience haha. Took it more than a day till my expected outcome were observed.

Thank you!