Hello everybody,

has anyone ever set up a Conditional Access Policy that ensures, that only managed devices (marked as compliant) can access Exchange Online?

 

I tried that and basically it also works for Windows, iOS and Android devices.
Unfortunately there is a problem with managed e-mail profiles on Android devices.

 

We have configuration profiles that create an exchange online account with Oauth login on the devices. To check the emails, the Gmail app is rolled out on the devices and the Gmail app accesses the managed Exchange Online profile.

 

This works well, but as soon as I activate the Conditional Access Policy and an Android user has to authenticate again, e.g. because of a password change or on a new device, the login mask reports that the device is not registered and that the Microsoft company portal app should be downloaded first.

 

This message is wrong, the device is registered and everything else works. It occurs on different devices. As a temporary solution, I deactivated the policy for Android devices.
Has anyone ever had this problem?

 

Kind regards
Marco

 

ca1.PNG

ca2.PNGScreenshot_2020-05-15-13-56-29-027_com.android.chrome - Kopie.jpgScreenshot_2020-05-15-13-56-32-041_com.android.chrome - Kopie.jpg