According to the Conditional Access doc Require App Protection Policy , "Microsoft Teams... do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively."
This does not mean that an App Protection Policy cannot be applied to Teams mobile app, but rather that Conditional Access cannot use it as a control to guarantee access from a mobile device has a managed app being used. This presents a potential security risk in that data within the Teams mobile app could be extracted to non-managed apps, such as the Files app within iOS.
With the heavy dependency and promotion of Teams today, what are ways to allow the use of the Teams mobile app while also preventing data from being extracted to uncontrolled locations/services? Assuming device enrollment is not being considered for BYOD and that a MAM-only approach is desired, what options would that leave? Curious for other perspectives or opinions on this scenario.