A couple days ago, all our tenant users who are using Outlook mobile iOS/Android app were blocked connecting to Exchange server suddenly.
As a admin, I looked into this issue and found some facts.
Our tenant has been ActiveSync disabled.
Mobile Device is in compliance in MDM
Teams and SharePoint can be accessed on the same device.
The problem is that the target is only Exchange from Outlook mobile app.
Most of users who suffered from this incident suddenly received a notification mail about this.
It was saying "Your device has been denied access to the server via Exchange ActiveSync because of server policies".
But our tenant has disable ActiveSync since 2 years ago...
Even though all conditional access policies are excluded, Outlook mobile app is still blocked.
However I found a work-around. when I add a conditional access policy which explicitly permits to access exchange from iOS device without compliant state, Outlook mobile app can be connected.
Further more, If I additionally put a device state condition requirement, it's blocked again.
Therefore, I am guessing that Conditional Access policy for Exchange cannot handle device state correctly somehow.
However, as a rule, we would need to restrict device state of mobile device.
Does anyone know what's happening in my tenant? Any advice would be greatly appreciated.