Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)
SOLVED

Unable to log into Dynamics 365 for Phones due to App Protectin Policy Error

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3170452%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EUnable%20to%20log%20into%20Dynamics%20365%20for%20Phones%20due%20to%20App%20Protectin%20Policy%20Error%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3170452%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EWe%20are%20unable%20to%20log%20into%20the%20Dynamics%20365%20for%20Phones%20app.%20After%20entering%20the%20password%20we%20are%20required%20to%20approve%20in%20Authenticator%2C%20then%20the%20error%20appears.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F348478iC5FA90696EB76841%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22CRM%20Login%20Error.png%22%20login%3D%22%22%20error.png%3D%22%22%20alt%3D%22CRM%20Login%20Error.png%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EWe%20did%20have%20it%20set%20as%20a%20protected%20app%20in%20our%20one%20App%20Protection%20Policy%2C%20but%20we%20thought%20perhaps%20this%20app%20is%20not%20supported%20for%20that%2C%20so%20we%20removed%20it%2C%20but%20the%20result%20is%20the%20same.%20What%20we%20noticed%20is%20that%20in%20the%20App%20Protection%20policy%20the%20highlighted%20entry%20exists%2C%20possible%20this%20is%20Dynamics%20365%20for%20Phones.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F348479i5D2A5A38AC6E78C2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22App%20Prrotection%20Policy.png%22%20prrotection%3D%22%22%20policy.png%3D%22%22%20alt%3D%22App%20Prrotection%20Policy.png%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EYet%20when%20we%20edit%20the%20policy%2C%20it%20is%20not%20there!%20Perhaps%20this%20is%20stuck%20somehow....%3CBR%20%2F%3EI%20need%20to%20confirm%3CBR%20%2F%3E1)%20Is%20this%20app%20supported%20for%20App%20Protection%20Policy%20with%20InTune%3F%20If%20so%20would%20anyone%20have%20any%20ideas%20why%20the%20error%3F%3CBR%20%2F%3E2)%20If%20not%20supported%2C%20any%20ideas%20how%20can%20we%20resolve%20the%20error%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EI%20logged%20a%20ticket%20through%20the%20device%20management%20portal%20with%20MS%20but%20a%20week%20now%20with%20no%20response.%26nbsp%3B%20Unlike%20Microsoft...%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3170452%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3EIntune%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3170452%22%20slang%3D%22en-US%22%3EUnable%20to%20log%20into%20Dynamics%20365%20for%20Phones%20due%20to%20App%20Protectin%20Policy%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3170452%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20unable%20to%20log%20into%20the%20Dynamics%20365%20for%20Phones%20app.%20After%20entering%20the%20password%20we%20are%20required%20to%20approve%20in%20Authenticator%2C%20then%20the%20error%20appears.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CRM%20Login%20Error.png%22%20style%3D%22width%3A%20446px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F348478iC5FA90696EB76841%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CRM%20Login%20Error.png%22%20alt%3D%22CRM%20Login%20Error.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20have%20it%20set%20as%20a%20protected%20app%20in%20our%20one%20App%20Protection%20Policy%2C%20but%20we%20thought%20perhaps%20this%20app%20is%20not%20supported%20for%20that%2C%20so%20we%20removed%20it%2C%20but%20the%20result%20is%20the%20same.%20What%20we%20noticed%20is%20that%20in%20the%20App%20Protection%20policy%20the%20highlighted%20entry%20exists%2C%20possible%20this%20is%20Dynamics%20365%20for%20Phones.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22App%20Prrotection%20Policy.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F348479i5D2A5A38AC6E78C2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22App%20Prrotection%20Policy.png%22%20alt%3D%22App%20Prrotection%20Policy.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYet%20when%20we%20edit%20the%20policy%2C%20it%20is%20not%20there!%20Perhaps%20this%20is%20stuck%20somehow....%3CBR%20%2F%3EI%20need%20to%20confirm%3CBR%20%2F%3E1)%20Is%20this%20app%20supported%20for%20App%20Protection%20Policy%20with%20InTune%3F%20If%20so%20would%20anyone%20have%20any%20ideas%20why%20the%20error%3F%3CBR%20%2F%3E2)%20If%20not%20supported%2C%20any%20ideas%20how%20can%20we%20resolve%20the%20error%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20logged%20a%20ticket%20through%20the%20device%20management%20portal%20with%20MS%20but%20a%20week%20now%20with%20no%20response.%26nbsp%3B%20Unlike%20Microsoft...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3170452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3171151%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20log%20into%20Dynamics%20365%20for%20Phones%20due%20to%20App%20Protectin%20Policy%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3171151%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20thanks%20for%20the%20reply.%3C%2FP%3E%3CP%3EI%20had%20taken%20the%20app%20out%20of%20App%20Prtection%20policy%20just%20to%20try%20and%20get%20it%20working%20(and%20confirm%20if%20the%20issue%20was%20indeed%20InTune%20related).%26nbsp%3B%20So%20now%20I%20have%20placed%20it%20back%20in%20there%2C%20and%20the%20same%20issue%20continues.%26nbsp%3B%20I%20confirm%20that%20we%20are%20testing%20on%20devices%20which%20have%20both%20the%20MS%20Authenticator%20App%2C%20and%20also%20the%20InTune%20Company%20Portal%20app%20installed.%26nbsp%3B%20And%20they%20both%20show%20the%20devices%20are%20enrolled%20successfully.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We are unable to log into the Dynamics 365 for Phones app. After entering the password we are required to approve in Authenticator, then the error appears.

 

CRM Login Error.png

 

We did have it set as a protected app in our one App Protection Policy, but we thought perhaps this app is not supported for that, so we removed it, but the result is the same. What we noticed is that in the App Protection policy the highlighted entry exists, possible this is Dynamics 365 for Phones.

 

App Prrotection Policy.png

 

Yet when we edit the policy, it is not there! Perhaps this is stuck somehow....
I need to confirm
1) Is this app supported for App Protection Policy with InTune? If so would anyone have any ideas why the error?
2) If not supported, any ideas how can we resolve the error?

 

I logged a ticket through the device management portal with MS but a week now with no response.  Unlike Microsoft...

17 Replies

To me, this error is coming from Conditional Access, do you have approved apps and CA policy? If yes, is the device registered to Azure AD using Broker app?
Dynamic 365 is one of the approved apps so it should work in your policy.

Moe

From MSFT docs:

Require app protection policy

In your Conditional Access policy, you can require an Intune app protection policy be present on the client app before access is available to the selected cloud apps.
In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

Many thanks for the reply.

I had taken the app out of App Prtection policy just to try and get it working (and confirm if the issue was indeed InTune related).  So now I have placed it back in there, and the same issue continues.  I confirm that we are testing on devices which have both the MS Authenticator App, and also the InTune Company Portal app installed.  And they both show the devices are enrolled successfully.

Do you have other apps in the policy? Do you have the access error only in Dynamic app or other apps as well?
Yes we do have other apps in the policy. Outlook, Teams, Dynamics NAV, Office, etc. All of the other apps are running fine. Which is why I wondered if Dynamics 365 for Phones (AKA Microsoft CRM or Dynamics 365 for Sales) is not supported with App Protection.

Got it. Do you see the app in the screenshot attached? If not, it means not supported.

Removing an app from app protection policy could take time up to 48 hours to reflect the new change.

Thanks Moe. And that is really all I need to know. If it is not supported with app protection we will live with that. The strange thing is though, even if I remove it from the App Protection policy, and sync the devices, still the same issue occurs. The app will not log in ,with "You can't get there from here"....
I would give it time, app protection policies takes time to reflect new changes.

Moe
That I can do. We are pretty new to Intune, so was not sure how quick things take effect. I was able to remove the "ghost" entry for the app in my first post above, so maybe that shakes things up. Will give it some time, thank you for the assistance!

So it has been two days now after completely removing the Dynamics 365 app for Phones from InTune completely. Yet it is still enforcing authentication with the Authenticator app on the iPhone, and that fails. Bizzare. I am wondering if it is one of the URL's that the app uses, that might be in the protected URLs of the app protection policy. But checking visually, none of them seem to be relevant to Dynamics 365....
I hear you here. Can you disable the CA access and enable it again?

Is the app protection policy pushed to all users or just testing mode? If testing, I would remove and recreate again.

Moe
Thanks again. So I added an exception for a test user for the CA policy, and voila! The app works again. Also, as you suggested I temporarily disabled he CA policy, and it also works then.
So, something in the CA policy would be doing it. I have scoured through the settings of the CA though, the app is not included in the app list any more, nor any other setting I can see seems relevant to it, but I must be missing something.

@asmilie2b 

 

Is it possible to share the CA policy and App protection Policy? Try to exclude Dynamic 365 from the apps in the CA (Screenshot attached).

Se attached. I have confirmed the app is under neither. And also had tried to add an exclusion for it in the CA however it doesn't come up in the search results.

best response confirmed by asmilie2b (Occasional Contributor)
Solution

I see the issue now.

It’s not recommended to include all apps in the conditional access, this means any app (even other than o365 apps) will have the same issue as Dynamic because the app is not in the approved list.

I used to think the issue is from the app protection policy but now I can confirm it’s from CA. You need include Office Apps not all the cloud apps.

Check my screenshot.
Moe

Well, that seems to have done it! I guess it makes sense, perhaps the app is just a shell for the cloud service.. and falls into the Cloud Apps category... I have now added only the Microsoft Office 365 app in there, done a sync, and now the app loads. So much thanks for your help!

So while it was working on Friday, it no longer is.  Which is bizarre. I still only have Office 365 selected under the cloud apps.  No other changes were made.  I am sure now it is something in the CA, because when I disable the main policy, it works again.