Australia | Fixing the Microsoft Authenticator and Managed App Login Loop in Intune (MDM)

Nick Thomas - 17.02.202520250217

Australia | Fixing the Microsoft Authenticator and Managed App Login Loop in Intune (MDM)

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

Fixing the Microsoft Authenticator and Managed App Login Loop in Intune (MDM)

Fixing the Microsoft Authenticator and Managed App Login Loop in Intune

A client was facing an issue where end users were stuck in a login loop when trying to access Intune-managed apps (such as Outlook and Teams) on their mobile devices using their corporate credentials. The apps would continuously switch between the managed app and Microsoft Authenticator, preventing a successful login. 

If you’re experiencing the same issue, I created this guide to help you troubleshoot and resolve the problem quickly.  

Diagnosis and Troubleshooting Steps 

Step 1: Verify User Licensing 

The first check was ensuring that the affected users had the necessary Microsoft 365 and Intune licenses assigned. However, I found out that licensing wasn’t the issue—users were properly assigned. 

Step 2: Check Security Group Assignments 

Next, I verified that the users were in the correct security groups that were included in the App Protection Policy (APP) in Intune. Again, everything was correctly assigned. 

Step 3: Verify App Protection Policy (APP) Application 

In Intune Monitor, I checked whether the App Protection Policy was correctly applied to the user and their device. The policy was showing as active, and the users were experiencing expected restrictions (e.g., copy/paste restrictions on corporate data), confirming that the policy was in effect. 

Step 4: Investigate Conditional Access (CA) Policies 

A Conditional Access (CA) policy was in place to enforce that all users logging in from an iOS or Android device must have an App Protection Policy applied. 

To test whether the CA policy was causing the issue, I temporarily excluded a user from the policy. Surprisingly, this allowed them to log in without any issues, which didn’t make sense since Intune confirmed that the App Protection Policy was already applied. 

Step 5: Review Entra ID Sign-In Logs 

Diving deeper, I checked Entra ID > Sign-in logs > User sign-ins (Non-interactive) for the affected user. 

  • I found failures related to the Microsoft Teams Mobile app 
  • The error message under Grant Controls stated that “Require app protection policy” was failing 
  • However, Intune showed the policy was correctly applied—and I even confirmed this by verifying that the user had copy/paste restrictions in effect 

At this point, it was clear that something was out of sync between Intune, Conditional Access and Microsoft Authenticator. 

Resolution 

After extensive testing, the appropriate fix is as follows: 

  1. Uninstall Microsoft Apps on Mobile (Including Authenticator) 

The user had to uninstall all Microsoft apps, including Authenticator, from their mobile device.

  1. Revoke MFA Sessions and Force Re-Registration 

In Entra ID > Authentication Methods, I triggered: 

  • Require re-register for MFA 
  • Revoke MFA sessions for the affected users 
  1. Force MFA Re-Enrollment via Office.com 

The user was asked to log in to Office.com on their PC with their corporate Microsoft 365 credentials. This triggered the MFA registration process again.

The user reinstalled Microsoft Authenticator and added their account, ensuring any old accounts were deleted first. 

  1. Reinstall Microsoft Apps and Log-In Again 

The user reinstalled Teams, Outlook and other Microsoft apps on their mobile device. They could now successfully sign in without getting stuck in the login loop. 🎉 

Final Thoughts 

This issue was a tricky one because everything appeared to be configured correctly, yet Conditional Access still failed with an “App Protection Policy” error. The root cause seemed to be an authentication mismatch between Entra ID, Conditional Access and Microsoft Authenticator. 

Key Takeaways

  • Always check Entra Sign-in logs (especially Non-Interactive Sign-ins) for hidden authentication issues 
  • If a user is stuck in a login loop, force an MFA re-registration and have them reinstall Authenticator & Microsoft apps 
  • When Conditional Access requires an App Protection Policy, but Intune already confirms it’s applied, a clean authentication reset may be necessary 

Are you experiencing a similar issue? Try out these steps yourself and let us know if they work! If not, feel free to reach out to us for assistance.  

If you’d like to learn more about Microsoft Intune, check out our eBook “The Ultimate Guide to Microsoft Intune”! 

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | Fixing the Microsoft Authenticator and Managed App Login Loop in Intune (MDM)

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.