Conditional Access Policy compliant devices on Android devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1411512%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411512%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everybody%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Ehas%20anyone%20ever%20set%20up%20a%20Conditional%20Access%20Policy%20that%20ensures%2C%20that%20only%20managed%20devices%20(marked%20as%20compliant)%20can%20access%20Exchange%20Online%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20that%20and%20basically%20it%20also%20works%20for%20Windows%2C%20iOS%20and%20Android%20devices.%3CBR%20%2F%3EUnfortunately%20there%20is%20a%20problem%20with%20managed%20e-mail%20profiles%20on%20Android%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20configuration%20profiles%20that%20create%20an%20exchange%20online%20account%20with%20Oauth%20login%20on%20the%20devices.%20To%20check%20the%20emails%2C%20the%20Gmail%20app%20is%20rolled%20out%20on%20the%20devices%20and%20the%20Gmail%20app%20accesses%20the%20managed%20Exchange%20Online%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20works%20well%2C%20but%20as%20soon%20as%20I%20activate%20the%20Conditional%20Access%20Policy%20and%20an%20Android%20user%20has%20to%20authenticate%20again%2C%20e.g.%20because%20of%20a%20password%20change%20or%20on%20a%20new%20device%2C%20the%20login%20mask%20reports%20that%20the%20device%20is%20not%20registered%20and%20that%20the%20Microsoft%20company%20portal%20app%20should%20be%20downloaded%20first.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20message%20is%20wrong%2C%20the%20device%20is%20registered%20and%20everything%20else%20works.%20It%20occurs%20on%20different%20devices.%20As%20a%20temporary%20solution%2C%20I%20deactivated%20the%20policy%20for%20Android%20devices.%3CBR%20%2F%3EHas%20anyone%20ever%20had%20this%20problem%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3CBR%20%2F%3EMarco%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ca1.PNG%22%20style%3D%22width%3A%20323px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193865i842EB9B71DBC6D46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ca1.PNG%22%20alt%3D%22ca1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ca2.PNG%22%20style%3D%22width%3A%20347px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193866iCC6B415D85930295%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ca2.PNG%22%20alt%3D%22ca2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot_2020-05-15-13-56-29-027_com.android.chrome%20-%20Kopie.jpg%22%20style%3D%22width%3A%20461px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193867iEF70D48A54C406AD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot_2020-05-15-13-56-29-027_com.android.chrome%20-%20Kopie.jpg%22%20alt%3D%22Screenshot_2020-05-15-13-56-29-027_com.android.chrome%20-%20Kopie.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot_2020-05-15-13-56-32-041_com.android.chrome%20-%20Kopie.jpg%22%20style%3D%22width%3A%20461px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193868iF063BA388C5E4BF7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot_2020-05-15-13-56-32-041_com.android.chrome%20-%20Kopie.jpg%22%20alt%3D%22Screenshot_2020-05-15-13-56-32-041_com.android.chrome%20-%20Kopie.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1411512%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413091%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413091%22%20slang%3D%22en-US%22%3EI%20think%20the%20issue%20is%20Legacy%20vs%20Modern%20auth%2C%20Gmail%20may%20use%20Legacy%20auth%20to%20login%2C%20you%20can%20confirm%20by%20going%20to%20sign%20in%20logs%20from%20Azure%20AD-%26gt%3BAdd%20Filter-%26gt%3BClient%20App-%26gt%3BCheck%20all%20the%20boxes.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%20you%20have%20CA%20enabled%20to%20allow%20ActiveSync%20but%20you%20also%20have%20Android%20Profile%20to%20use%20Modern%20Auth.%20I%20suspect%20the%20the%20test%20will%20work%20as%20expected%20if%20you%20use%20Outlook%20app%20not%20Gmail.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415621%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415621%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676891%22%20target%3D%22_blank%22%3E%40marcosiefert%3C%2FA%3E%26nbsp%3BYou%20might%20get%20some%20info%20when%20you%20have%20a%20look%20in%20Azure%20AD%20at%20the%20Sign-ins.%20If%20you%20have%20a%20look%20at%20the%20client%20app%20which%20is%20used%2C%20you%20should%20be%20able%20to%20see%20if%20Gmail%20is%20a%20legacy%20auth%20app.%20Only%20browser%20and%20Mobile%20apps%20and%20desktop%20is%20modern%2C%20all%20others%20are%20legacy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1555562%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1555562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3194%22%20target%3D%22_blank%22%3E%40Peter%20Klapwijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20excuse%20the%20late%20reply.%3CBR%20%2F%3EI%20checked%20it%20in%20Azure%20at%20the%20sign-ins.%3CBR%20%2F%3EGmail%20is%20shown%20as%20%22Mobile%20Apps%20and%20Desktop%20clients%22%2C%20so%20it%20should%20work.%3CBR%20%2F%3EWhen%20Gmail%20connects%20to%20Exchange%20Online%2C%20a%20Modern%20Authentication%20login%20mask%20is%20shown.%20Multi-factor%20authentication%20also%20shows%20up%2C%20but%20after%20confirmation%26nbsp%3B%20the%20login%20process%20stops%20with%20the%20message%20that%20the%20device%20is%20not%20registered%2C%20although%20it%20is%20registered.%20The%20problem%20doesn't%20occur%20with%20any%20other%20app%2C%20just%20Gmail.%3CBR%20%2F%3ESeems%20to%20be%20a%20bug%2C%20doesn't%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22gmail_ca.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208993iF18845C8668D093F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22gmail_ca.PNG%22%20alt%3D%22gmail_ca.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1556479%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1556479%22%20slang%3D%22en-US%22%3EDo%20you%20have%20any%20app%20protection%20policies%20applied%3F%20that%20includes%20Outlook%3F%20Or%20a%20CA%20that%20requires%20a%20approved%20app%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558800%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20compliant%20devices%20on%20Android%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558800%22%20slang%3D%22en-US%22%3EYou%20could%20use%20the%20What%20if%20function%20of%20Conditional%20Acces%20to%20see%20which%20policies%20are%20active.%20Maybe%20you%20missed%20one%20with%20a%20setting%20which%20requires%20an%20approved%20app.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello everybody,


has anyone ever set up a Conditional Access Policy that ensures, that only managed devices (marked as compliant) can access Exchange Online?

 

I tried that and basically it also works for Windows, iOS and Android devices.
Unfortunately there is a problem with managed e-mail profiles on Android devices.

 

We have configuration profiles that create an exchange online account with Oauth login on the devices. To check the emails, the Gmail app is rolled out on the devices and the Gmail app accesses the managed Exchange Online profile.

 

This works well, but as soon as I activate the Conditional Access Policy and an Android user has to authenticate again, e.g. because of a password change or on a new device, the login mask reports that the device is not registered and that the Microsoft company portal app should be downloaded first.

 

This message is wrong, the device is registered and everything else works. It occurs on different devices. As a temporary solution, I deactivated the policy for Android devices.
Has anyone ever had this problem?

 

Kind regards
Marco

 

ca1.PNG

ca2.PNGScreenshot_2020-05-15-13-56-29-027_com.android.chrome - Kopie.jpgScreenshot_2020-05-15-13-56-32-041_com.android.chrome - Kopie.jpg

 

5 Replies
Highlighted
I think the issue is Legacy vs Modern auth, Gmail may use Legacy auth to login, you can confirm by going to sign in logs from Azure AD->Add Filter->Client App->Check all the boxes.

I know you have CA enabled to allow ActiveSync but you also have Android Profile to use Modern Auth. I suspect the the test will work as expected if you use Outlook app not Gmail.

Hope this helps!
Moe

@marcosiefert You might get some info when you have a look in Azure AD at the Sign-ins. If you have a look at the client app which is used, you should be able to see if Gmail is a legacy auth app. Only browser and Mobile apps and desktop is modern, all others are legacy.

Highlighted

@Peter Klapwijk 

Please excuse the late reply.
I checked it in Azure at the sign-ins.
Gmail is shown as "Mobile Apps and Desktop clients", so it should work.
When Gmail connects to Exchange Online, a Modern Authentication login mask is shown. Multi-factor authentication also shows up, but after confirmation  the login process stops with the message that the device is not registered, although it is registered. The problem doesn't occur with any other app, just Gmail.
Seems to be a bug, doesn't it?

 

 

gmail_ca.PNG

 

Highlighted
Do you have any app protection policies applied? that includes Outlook? Or a CA that requires a approved app?
Highlighted
You could use the What if function of Conditional Acces to see which policies are active. Maybe you missed one with a setting which requires an approved app.