This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFH%3C/text%3E%3C/svg%3E)
Hello guys,
our scenario is like following, having issues "checking in" with App Protection Policy because of Condtional Access.
We have a condtional access for Office 365 for our iOS and Android Users, they have to be
A) Registered in Intune (this is our COPE model)
or
B) Have a App Protection Policy assigned (BYOD model)
So our Conditional access rule looks like this:
Users : All
Cloud Apps: Office-365
Condition iOS and Android Device platform
Client apps: All
Access controls: Grand access
If you register your Phone via the company portal all works fine, the Condtional Access Policy grants access because Condtion A) is fullfilled.
For Condtion B) scenario we have App Protection Policy assigend for all Users unmanaged devices, if you are connecting for Example via Outlook App and your device is not registered in Intune it sometimes gets the App Protection Policy assigned correctly and the Condtional Access is fullfilled and somtimes not: failing due to Registeration is needed (the Condtional Access is blocking)
We have this construct because there are users having company devices (model A) and also private devices (model B)
I guess there is something strange on this behaviour, we have all kinds of scenarios, on some devices it is working with a few apps and on others with none, it is not transparent why. It seems like there are issues on the app checking on the conditional access, but only sometimes?
The expected behaviour would be like:
Open Outlook App
Enter Credentials
Checking Condtional Access
Maybe you have any kind of ideas to solve this, or is it just a bug?
Best Regards,
Florian
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
From your description, I know if you are connecting for Example via Outlook App and your device is not registered in Intune, it sometimes gets the App Protection Policy assigned correctly and the Condtional Access is fullfilled and somtimes not: failing due to Registeration is needed.
To troubleshoot such case, log analysis is necessary to query the failing process. With Q&A limitation, it is not a better channel for log analysis. We suggest to open a case to work on this.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Have you checked if APP are assigned and applying as intended or not?