"You can't access this application" when trying to connect with Exchange Online mailbox through ActiveSync

I've recently had a customer experience an issue with connecting to Exchange Online via ActiveSync (iOS Accounts, per Azure) for users who are leveraging Modern Authentication.

The user tries to login per usual processes, but is greeted with the following error after entering their password in the MA prompt:



Selecting "Return to the application without granting consent" (highlighted in the screenshot above) will allow the user to connect to the mailbox via Basic authentication instead of Modern Authentication, but this clearly wasn't working the way we wanted it to.


Now, we've determined that it was an authentication issue within Azure AD, but were initially unable to determine the exact point of failure, as the application "iOS Accounts" was configured to allow authentication against the application for all users (we'd see a "Bad Request" error if the application wasn't authorized permission to connect to the service).


After some digging, we were able to determine the cause of the issue. In the User settings within Azure Active Directory for the tenant, "Users can consent to apps accessing company data on their behalf" was set to "No":



Once we changed this setting, users who were previously experiencing issues with connecting via Modern Auth were able to do so.

You can also make this change via Azure AD PowerShell via the Set-MsolCompanySettings cmdlet, and can check the status of the parameter via Get-MsolCompanyInformation:

 Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled $true