Unable to add MFA-enabled work email to Android Outlook app

Question

question

PedroK-8562 asked Jan 17, '21 Crystal-MSFT edited Mar 2, '21

Unable to add MFA-enabled work email to Android Outlook app

Hi,

I am trying to add my O365 work email account to the Outlook app of an Android device I have and it’s not working. I am using Multifactor authentication. I get an error ‘This account can’t be added because you need to install Intune Company Portal’. It fades away and then Outlook app closes. Try again and the same thing happens. And so on.

Company Portal is installed despite what the error says. I have seen this error on Android devices throughout the estate (there aren’t many), but it’s not consistent. I have successfully added MFA-enabled work accounts to Androids before, including my own Samsung Galaxy last year (failed at some point and I couldn't re-add ; would get this same error). I want to lick this problem once and for all. I have zero issues with iPhones.

I should note that I’m using Android 9 on a Moto G6, and the latest Outlook app. But that doesn’t matter. It has been happening for a while now on multiple devices.
I have tried uninstalling and reinstalling the Company portal app. Same with Microsoft Authenticator and Outlook app. I have tried installing them in different sequence. I have tried removing all old/stale work profiles and devices from Azure AD and Microsoft Endpoint Manager and starting from scratch. Doesn’t work.

Steps taken: I launch the Company Portal app (padlock company version). My Work profile and device are registered and ‘in compliance’ (work profile also showing in Android Settings > Accounts. I launch Microsoft Authenticator and verify that my work account is added and working. I launch Outlook app and try adding the account. Error every time upon submitting email address. Microsoft Endpoint Manager doesn’t show any enrollment failures under my account.

I would greatly appreciate any assistance you can provide.
Thanks

office-outlook-itpro mem-intune-enrollment

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-01-18T02:20:07.067Z

Crystal-MSFT answered Jan 18, '21 Crystal-MSFT edited Mar 2, '21

@PedroK-8562, From your description, I find our issue is when add O365 account, an error "The account can't be added because you need to install Intune Company Portal" on Andorid device. On Iphone device it is working. Also, for the compliant Android device, it also get error when add Office 365 account.If there's any misunderstanding, feel free to let us know.

For our issue, I guess one possible cause can be that conditional access policy is configured which may cause our issue.

Here, we suggest to collect the following information to clarify:
1. Please check if there's any Conditional access policy is configured and assigned to the user group which include our user? If yes, please get screen shots of the detailed settings.

2. Check the Sign ins report for the affected user we test and see if the access failure has recorded here and get the details of the failure.

Please check the above information and if there's any update, feel free to let us know.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image.png (71.3 KiB)

image.png (186.8 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-01-18T23:50:44.37Z

PedroK-8562 answered Jan 18, '21 Crystal-MSFT edited Jan 20, '21

Hi,

Thanks for writing back. I checked the Sign-ins report after just having tried it again (unsuccessfully) and there is nothing in there! I searched under User sign-ins (interactive) and User sign-ins (non-interactive). Nothing comes up under my user ID. So if it a result of a conditional access policy, it does not lead to a login block.

I did look under conditional access policies. We have quite a few enabled. Unfortunately, the consultants who set this all up have left the company (pandemic crushed our staff) so I don't know what each of these do. But if it was a conditional access policy blocking me, wouldn't I see this on the sign ins report?

image.png (78.3 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Jan 19, 2021 at 05:22 AM

@PedroK-8562, Thanks for the reply.

From the picture you provided, I find a CA named "CA06 All cloud Apps Require compliant device for 365-macro-approved-users when Browser or modern auth" seems to be configured for all cloud apps require compliant device. This may explain why company portal is asked to install. In our previous description, I know the device is enrolled successfully. But the outlook app is failed to add the Office 385 email account. And in the user sign in log, we didn't find any log. Could you check what is the error when add the account.?

0 ·

Answer 3 · 2021-01-19T15:57:00.743Z

PedroK-8562 answered Jan 19, '21 Crystal-MSFT edited Jan 20, '21

Hi,

I believe this CA is a Mac-only policy. See image below. There is a user group assigned to it called 365_MacOS_approved_users. Under Conditions, the Device platform selected is MacOS only. If this were the cause, wouldn't I see that in the Sign in logs? Wouldn't it say that login failed due to a conditional policy? But I do not see a failed login.

I'm not sure what you mean when you ask "Could you check what is the error when add the account"? The error is the same one I have always gotten which is "The account can't be added because you need to install Intune Company Portal". This happens when I try to add the O365 account on the Outlook app.

I should tell you that we do have a bunch of devices working on Android. We have other devices that cannot use Android (they get this exact error) even though they are enrolled and compliant. Even on this one device, I was able to get it working a couple of weeks ago (after 20 different attempts of uninstalling, reinstalling and modifying settings). I thought I had the problem solved. I removed all apps and all entries from AAD and InTune. Started fresh. No luck. I have tried so many things but it keeps failing. That's why I want to solve this once and for all.

Thanks for your help

image.png (73.2 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Jan 20, 2021 at 02:38 AM

@PedroK-8562, From the screen shot, the device platform is macOS. If so, this policy is not related with our issue. We can check if there's other policy with Andorid selected and with the user group which include our user configured to see if the company portal installed prompt is caused by the Conditional access policy configured.

For the sign in log, we can also check it in Azure AD portal to see if there's any record there. If it is also not there, as Office 365 seems to authenticate using Azure AD, we suggest to contact Azure AD support to see if other logs can be checked to troubleshoot our issue:

For other device which is already enrolled and compliant, I notice it is also promoted to installed company portal. The phenomenon is a little strange. This need background log analysis. As Q&A is not the best channel for log analysis, we suggest to open case to work on such issue.
https://docs.microsoft.com/en-us/mem/get-support

Thanks for the understanding.

0 ·

question