Feb 15 2022 02:16 PM
Feb 15 2022 02:16 PM
We are unable to log into the Dynamics 365 for Phones app. After entering the password we are required to approve in Authenticator, then the error appears.
We did have it set as a protected app in our one App Protection Policy, but we thought perhaps this app is not supported for that, so we removed it, but the result is the same. What we noticed is that in the App Protection policy the highlighted entry exists, possible this is Dynamics 365 for Phones.
Yet when we edit the policy, it is not there! Perhaps this is stuck somehow....
I need to confirm
1) Is this app supported for App Protection Policy with InTune? If so would anyone have any ideas why the error?
2) If not supported, any ideas how can we resolve the error?
I logged a ticket through the device management portal with MS but a week now with no response. Unlike Microsoft...
Feb 15 2022 05:01 PM - edited Feb 15 2022 05:04 PM
To me, this error is coming from Conditional Access, do you have approved apps and CA policy? If yes, is the device registered to Azure AD using Broker app?
Dynamic 365 is one of the approved apps so it should work in your policy.
From MSFT docs:
Require app protection policy
In your Conditional Access policy, you can require an Intune app protection policy be present on the client app before access is available to the selected cloud apps.
In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
Feb 15 2022 05:47 PM
Many thanks for the reply.
I had taken the app out of App Prtection policy just to try and get it working (and confirm if the issue was indeed InTune related). So now I have placed it back in there, and the same issue continues. I confirm that we are testing on devices which have both the MS Authenticator App, and also the InTune Company Portal app installed. And they both show the devices are enrolled successfully.
Feb 15 2022 07:09 PM
Feb 15 2022 07:23 PM
Feb 15 2022 07:34 PM - edited Feb 15 2022 07:34 PM
Got it. Do you see the app in the screenshot attached? If not, it means not supported.
Removing an app from app protection policy could take time up to 48 hours to reflect the new change.
Feb 15 2022 07:55 PM - edited Feb 15 2022 08:29 PM
Are you using the app below? These ones are not supported.
This one is supported:
Hope it helps!
Feb 15 2022 08:06 PM
Feb 15 2022 08:28 PM
Feb 15 2022 08:31 PM
Feb 17 2022 04:21 PM
Feb 17 2022 04:58 PM
Feb 17 2022 09:03 PM
Feb 17 2022 09:24 PM
Is it possible to share the CA policy and App protection Policy? Try to exclude Dynamic 365 from the apps in the CA (Screenshot attached).
Feb 17 2022 09:34 PM
Se attached. I have confirmed the app is under neither. And also had tried to add an exclusion for it in the CA however it doesn't come up in the search results.
Feb 17 2022 09:47 PM - edited Feb 17 2022 10:08 PMSolution
I see the issue now.
It’s not recommended to include all apps in the conditional access, this means any app (even other than o365 apps) will have the same issue as Dynamic because the app is not in the approved list.
I used to think the issue is from the app protection policy but now I can confirm it’s from CA. You need include Office Apps not all the cloud apps.
Check my screenshot.
Feb 17 2022 10:32 PM
Feb 21 2022 06:43 PM
So while it was working on Friday, it no longer is. Which is bizarre. I still only have Office 365 selected under the cloud apps. No other changes were made. I am sure now it is something in the CA, because when I disable the main policy, it works again.