A client was facing an issue where end users were stuck in a login loop when trying to access Intune-managed apps (such as Outlook and Teams) on their mobile devices using their corporate credentials. The apps would continuously switch between the managed app and Microsoft Authenticator, preventing a successful login. <\/p>\n\n\n\n
If you\u2019re experiencing the same issue, I created this guide to help you troubleshoot and resolve the problem quickly. <\/p>\n\n\n\n
Step 1: Verify User Licensing<\/strong> <\/p>\n\n\n\n The first check was ensuring that the affected users had the necessary Microsoft 365 and Intune licenses assigned. However, I found out that licensing wasn\u2019t the issue\u2014users were properly assigned. <\/p>\n\n\n\n Step 2: Check Security Group Assignments<\/strong> <\/p>\n\n\n\n Next, I verified that the users were in the correct security groups that were included in the App Protection Policy (APP) in Intune<\/a>. Again, everything was correctly assigned.\u00a0<\/p>\n\n\n\n Step 3: Verify App Protection Policy (APP) Application<\/strong> <\/p>\n\n\n\n In Intune Monitor, I checked whether the App Protection Policy was correctly applied to the user and their device. The policy was showing as active, and the users were experiencing expected restrictions (e.g., copy\/paste restrictions on corporate data), confirming that the policy was in effect. <\/p>\n\n\n\n Step 4: Investigate Conditional Access (CA) Policies<\/strong> <\/p>\n\n\n\n A Conditional Access (CA) policy<\/a> was in place to enforce that all users logging in from an iOS or Android device must have an App Protection Policy applied. <\/p>\n\n\n\n To test whether the CA policy was causing the issue, I temporarily excluded a user from the policy. Surprisingly, this allowed them to log in without any issues, which didn\u2019t make sense since Intune confirmed that the App Protection Policy was already applied. <\/p>\n\n\n\n Step 5: Review Entra ID Sign-In Logs<\/strong> <\/p>\n\n\n\n Diving deeper, I checked Entra ID<\/a> > Sign-in logs > User sign-ins (Non-interactive) for the affected user. <\/p>\n\n\n\n At this point, it was clear that something was out of sync between Intune, Conditional Access and Microsoft Authenticator. <\/p>\n\n\n\n After extensive testing, the appropriate fix is as follows: <\/p>\n\n\n\n The user had to uninstall all Microsoft apps, including Authenticator, from their mobile device.<\/p>\n\n\n\n In Entra ID > Authentication Methods, I triggered: <\/p>\n\n\n\n The user was asked to log in to Office.com on their PC with their corporate Microsoft 365 credentials. This triggered the MFA registration process again.<\/p>\n\n\n\n The user reinstalled Microsoft Authenticator and added their account, ensuring any old accounts were deleted first. <\/p>\n\n\n\n The user reinstalled Teams, Outlook and other Microsoft apps on their mobile device. They could now successfully sign in without getting stuck in the login loop. \ud83c\udf89 <\/p>\n\n\n\n This issue was a tricky one because everything appeared to be configured correctly, yet Conditional Access still failed with an “App Protection Policy” error. The root cause seemed to be an authentication mismatch between Entra ID, Conditional Access and Microsoft Authenticator. <\/p>\n\n\n\n Are you experiencing a similar issue? Try out these steps yourself and let us know if they work! If not, feel free to reach out to us<\/a> for assistance. <\/p>\n\n\n\n\n
\n
\n
Resolution<\/strong> <\/h2>\n\n\n\n
\n
\n
\n
\n
\n
Final Thoughts<\/strong> <\/h2>\n\n\n\n
Key Takeaways<\/strong><\/h2>\n\n\n\n
\n
\n
\n