cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Accelerator: Microsoft Intune Suite
Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT)
Find out more
SOLVED

Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

asmilie2b
Occasional Contributor

‎Feb 15 2022 02:16 PM

‎Feb 15 2022 02:16 PM

Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

We are unable to log into the Dynamics 365 for Phones app. After entering the password we are required to approve in Authenticator, then the error appears.

 

CRM Login Error.png

 

We did have it set as a protected app in our one App Protection Policy, but we thought perhaps this app is not supported for that, so we removed it, but the result is the same. What we noticed is that in the App Protection policy the highlighted entry exists, possible this is Dynamics 365 for Phones.

 

App Prrotection Policy.png

 

Yet when we edit the policy, it is not there! Perhaps this is stuck somehow....
I need to confirm
1) Is this app supported for App Protection Policy with InTune? If so would anyone have any ideas why the error?
2) If not supported, any ideas how can we resolve the error?

 

I logged a ticket through the device management portal with MS but a week now with no response.  Unlike Microsoft...

1,224 Views
0 Likes
17 Replies
Reply
17 Replies
Moe_Kinani

‎Feb 15 2022 05:01 PM - edited ‎Feb 15 2022 05:04 PM

‎Feb 15 2022 05:01 PM - edited ‎Feb 15 2022 05:04 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

To me, this error is coming from Conditional Access, do you have approved apps and CA policy? If yes, is the device registered to Azure AD using Broker app?
Dynamic 365 is one of the approved apps so it should work in your policy.

Moe

From MSFT docs:

Require app protection policy

In your Conditional Access policy, you can require an Intune app protection policy be present on the client app before access is available to the selected cloud apps.
In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

0 Likes
Reply
asmilie2b

‎Feb 15 2022 05:47 PM

‎Feb 15 2022 05:47 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Many thanks for the reply.

I had taken the app out of App Prtection policy just to try and get it working (and confirm if the issue was indeed InTune related).  So now I have placed it back in there, and the same issue continues.  I confirm that we are testing on devices which have both the MS Authenticator App, and also the InTune Company Portal app installed.  And they both show the devices are enrolled successfully.

0 Likes
Reply
Moe_Kinani

‎Feb 15 2022 07:09 PM

‎Feb 15 2022 07:09 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Do you have other apps in the policy? Do you have the access error only in Dynamic app or other apps as well?
0 Likes
Reply
asmilie2b

‎Feb 15 2022 07:23 PM

‎Feb 15 2022 07:23 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Yes we do have other apps in the policy. Outlook, Teams, Dynamics NAV, Office, etc. All of the other apps are running fine. Which is why I wondered if Dynamics 365 for Phones (AKA Microsoft CRM or Dynamics 365 for Sales) is not supported with App Protection.
0 Likes
Reply
Moe_Kinani

‎Feb 15 2022 07:34 PM - edited ‎Feb 15 2022 07:34 PM

‎Feb 15 2022 07:34 PM - edited ‎Feb 15 2022 07:34 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Got it. Do you see the app in the screenshot attached? If not, it means not supported.

Removing an app from app protection policy could take time up to 48 hours to reflect the new change.

Preview file
191 KB
0 Likes
Reply
Moe_Kinani

‎Feb 15 2022 07:55 PM - edited ‎Feb 15 2022 08:29 PM

‎Feb 15 2022 07:55 PM - edited ‎Feb 15 2022 08:29 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Are you using the app below? These ones are not supported.

https://apps.apple.com/us/app/dynamics-365-for-phones/id1003997947

 

https://apps.apple.com/us/app/dynamics-365-sales/id1485578688


This one is supported:

https://apps.apple.com/us/app/microsoft-dynamics-365/id678800460

Hope it helps!
Moe

0 Likes
Reply
asmilie2b

‎Feb 15 2022 08:06 PM

‎Feb 15 2022 08:06 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Thanks Moe. And that is really all I need to know. If it is not supported with app protection we will live with that. The strange thing is though, even if I remove it from the App Protection policy, and sync the devices, still the same issue occurs. The app will not log in ,with "You can't get there from here"....
0 Likes
Reply
Moe_Kinani

‎Feb 15 2022 08:28 PM

‎Feb 15 2022 08:28 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

I would give it time, app protection policies takes time to reflect new changes.

Moe
0 Likes
Reply
asmilie2b

‎Feb 15 2022 08:31 PM

‎Feb 15 2022 08:31 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

That I can do. We are pretty new to Intune, so was not sure how quick things take effect. I was able to remove the "ghost" entry for the app in my first post above, so maybe that shakes things up. Will give it some time, thank you for the assistance!

0 Likes
Reply
asmilie2b

‎Feb 17 2022 04:21 PM

‎Feb 17 2022 04:21 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

So it has been two days now after completely removing the Dynamics 365 app for Phones from InTune completely. Yet it is still enforcing authentication with the Authenticator app on the iPhone, and that fails. Bizzare. I am wondering if it is one of the URL's that the app uses, that might be in the protected URLs of the app protection policy. But checking visually, none of them seem to be relevant to Dynamics 365....
0 Likes
Reply
Moe_Kinani

‎Feb 17 2022 04:58 PM

‎Feb 17 2022 04:58 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

I hear you here. Can you disable the CA access and enable it again?

Is the app protection policy pushed to all users or just testing mode? If testing, I would remove and recreate again.

Moe
0 Likes
Reply
asmilie2b

‎Feb 17 2022 09:03 PM

‎Feb 17 2022 09:03 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Thanks again. So I added an exception for a test user for the CA policy, and voila! The app works again. Also, as you suggested I temporarily disabled he CA policy, and it also works then.
So, something in the CA policy would be doing it. I have scoured through the settings of the CA though, the app is not included in the app list any more, nor any other setting I can see seems relevant to it, but I must be missing something.
0 Likes
Reply
Moe_Kinani

‎Feb 17 2022 09:24 PM

‎Feb 17 2022 09:24 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

@asmilie2b 

 

Is it possible to share the CA policy and App protection Policy? Try to exclude Dynamic 365 from the apps in the CA (Screenshot attached).

Preview file
63 KB
0 Likes
Reply
asmilie2b

‎Feb 17 2022 09:34 PM

‎Feb 17 2022 09:34 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Se attached. I have confirmed the app is under neither. And also had tried to add an exclusion for it in the CA however it doesn't come up in the search results.

Preview file
64 KB
Preview file
60 KB
0 Likes
Reply
best response confirmed by asmilie2b (Occasional Contributor)
Moe_Kinani

‎Feb 17 2022 09:47 PM - edited ‎Feb 17 2022 10:08 PM

‎Feb 17 2022 09:47 PM - edited ‎Feb 17 2022 10:08 PM

Solution

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

I see the issue now.

It’s not recommended to include all apps in the conditional access, this means any app (even other than o365 apps) will have the same issue as Dynamic because the app is not in the approved list.

I used to think the issue is from the app protection policy but now I can confirm it’s from CA. You need include Office Apps not all the cloud apps.

Check my screenshot.
Moe

Preview file
54 KB
1 Like
Reply
asmilie2b

‎Feb 17 2022 10:32 PM

‎Feb 17 2022 10:32 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

Well, that seems to have done it! I guess it makes sense, perhaps the app is just a shell for the cloud service.. and falls into the Cloud Apps category... I have now added only the Microsoft Office 365 app in there, done a sync, and now the app loads. So much thanks for your help!
0 Likes
Reply
asmilie2b

‎Feb 21 2022 06:43 PM

‎Feb 21 2022 06:43 PM

Re: Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

So while it was working on Friday, it no longer is.  Which is bizarre. I still only have Office 365 selected under the cloud apps.  No other changes were made.  I am sure now it is something in the CA, because when I disable the main policy, it works again.

0 Likes
Reply