I've been struggling a bit with testing Conditional Access and Application Protection policies in our organization. I have been testing on Android and with two different user accounts: one with Azure AD Premium P1 and Intune, and the other without. My questions:
If we have an Application Protection policy to prohibit Managed apps from allowing downloading/screenshot/etc., will this be enforced on a user account that doesn't have Intune or Azure AD P1 licenses?
I'm really confused on how the application policies are enforced. I signed into Outlook (on Android) with an Microsoft Business Premium licensed user. CA and AP Policies made me install the Company Portal app. I did not sign into the Company Portal app, but it did enforce the policies (wouldn't allow a screenshot)
I tried the same thing with an Office 365 F3 user, and it made me add the Company Portal app, but did not prevent me from taking a screenshot.
I changed that user's license to MBP, waited about 15 minutes, and it still wouldn't prevent me. I even tried re-adding the Company Portal app, but it's not applying the policy.
I'm confused because it seems like the App Protection policy gets applied sometimes when the Company Portal app is just installed and not signed into.