A client was facing an issue where end users were stuck in a login loop when trying to access Intune-managed apps (such as Outlook and Teams) on their mobile devices using their corporate credentials. The apps would continuously switch between the managed app and Microsoft Authenticator, preventing a successful login.
If you’re experiencing the same issue, I created this guide to help you troubleshoot and resolve the problem quickly.
Diagnosis and Troubleshooting Steps
Step 1: Verify User Licensing
The first check was ensuring that the affected users had the necessary Microsoft 365 and Intune licenses assigned. However, I found out that licensing wasn’t the issue—users were properly assigned.
Step 2: Check Security Group Assignments
Next, I verified that the users were in the correct security groups that were included in the App Protection Policy (APP) in Intune. Again, everything was correctly assigned.
Step 3: Verify App Protection Policy (APP) Application
In Intune Monitor, I checked whether the App Protection Policy was correctly applied to the user and their device. The policy was showing as active, and the users were experiencing expected restrictions (e.g., copy/paste restrictions on corporate data), confirming that the policy was in effect.
Step 4: Investigate Conditional Access (CA) Policies
A Conditional Access (CA) policy was in place to enforce that all users logging in from an iOS or Android device must have an App Protection Policy applied.
To test whether the CA policy was causing the issue, I temporarily excluded a user from the policy. Surprisingly, this allowed them to log in without any issues, which didn’t make sense since Intune confirmed that the App Protection Policy was already applied.
Step 5: Review Entra ID Sign-In Logs
Diving deeper, I checked Entra ID > Sign-in logs > User sign-ins (Non-interactive) for the affected user.
- I found failures related to the Microsoft Teams Mobile app
- The error message under Grant Controls stated that “Require app protection policy” was failing
- However, Intune showed the policy was correctly applied—and I even confirmed this by verifying that the user had copy/paste restrictions in effect
At this point, it was clear that something was out of sync between Intune, Conditional Access and Microsoft Authenticator.
Resolution
After extensive testing, the appropriate fix is as follows:
- Uninstall Microsoft Apps on Mobile (Including Authenticator)
The user had to uninstall all Microsoft apps, including Authenticator, from their mobile device.
- Revoke MFA Sessions and Force Re-Registration
In Entra ID > Authentication Methods, I triggered:
- Require re-register for MFA
- Revoke MFA sessions for the affected users
- Force MFA Re-Enrollment via Office.com
The user was asked to log in to Office.com on their PC with their corporate Microsoft 365 credentials. This triggered the MFA registration process again.
The user reinstalled Microsoft Authenticator and added their account, ensuring any old accounts were deleted first.
- Reinstall Microsoft Apps and Log-In Again
The user reinstalled Teams, Outlook and other Microsoft apps on their mobile device. They could now successfully sign in without getting stuck in the login loop. 🎉
Final Thoughts
This issue was a tricky one because everything appeared to be configured correctly, yet Conditional Access still failed with an “App Protection Policy” error. The root cause seemed to be an authentication mismatch between Entra ID, Conditional Access and Microsoft Authenticator.
Key Takeaways
- Always check Entra Sign-in logs (especially Non-Interactive Sign-ins) for hidden authentication issues
- If a user is stuck in a login loop, force an MFA re-registration and have them reinstall Authenticator & Microsoft apps
- When Conditional Access requires an App Protection Policy, but Intune already confirms it’s applied, a clean authentication reset may be necessary
Are you experiencing a similar issue? Try out these steps yourself and let us know if they work! If not, feel free to reach out to us for assistance.
If you’d like to learn more about Microsoft Intune, check out our eBook “The Ultimate Guide to Microsoft Intune”!
