It's a combination of App Protection and Conditional Access.
- Create an App Protection policy here
https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsMenu/appProtection , select Create Policy and your platform, check the options you want to configure and assign it.
- Create a Condtional Access rule here
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies , select New Policy , assign users and exclude users if needed, select all Cloud Apps, select Android as Device platform and Browser/Mobile apps as Client apps. Grant access with require approved client app, require app protection policy and require all of the selected controls.
Set the policy in Report-only mode if you want to test it first by trying to access Outlook from an Android Device and checking the Sign-In logs here
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/signInlogs . If you're comfortable with it, change Report-Only to On
