When Outlook on iOS or Android stops opening or shows a message that the app is blocked, an Intune App Protection Policy is usually the cause. This policy is set by your organization’s IT team to control how corporate data is accessed on mobile devices. The block can happen after a policy update, a device change, or when the Outlook app itself is not properly recognized by Intune. This article explains why the block occurs and provides a step-by-step method to diagnose the exact reason for the policy block.
Key Takeaways: Diagnosing Intune Policy Blocks in Outlook Mobile
- Company Portal app > Device details > Check settings: Confirm the device is compliant and enrolled before Outlook can apply policies.
- Outlook app > Settings > Security > Intune policy status: View the current policy assignment and any error codes directly in Outlook.
- Microsoft Intune admin center > Apps > App protection policies > User status: Check which policy version is applied to a specific user and device.
Why Intune App Protection Policies Block Outlook on Mobile
Intune App Protection Policies, also called MAM policies, control how Outlook handles corporate email and attachments. When a policy is assigned but the Outlook app cannot apply it, the app shows a block message. Common root causes include an unapproved device state, a missing or outdated Intune Company Portal app, or a policy conflict between multiple assigned policies. The block is not a random error. It is a deliberate enforcement by Intune to prevent data leakage on devices that do not meet your organization’s security requirements.
Three conditions must be met for Outlook to function under Intune policies. First, the device must be enrolled with Microsoft Intune. Second, the Outlook app must be managed and recognized by Intune. Third, the assigned policy must be successfully applied to the user account. If any of these conditions fails, Outlook shows a block screen. The diagnostic steps below help identify which condition is failing.
Device Enrollment vs App Protection Policy
A common confusion is between device enrollment and app protection. Device enrollment registers the whole device in Intune. App protection policies apply only to specific apps, like Outlook, and do not require full device enrollment. However, if your organization requires device enrollment, Outlook will block access until the device is enrolled. The diagnostic process must check both enrollment status and policy application status.
Steps to Diagnose the Intune Policy Block in Outlook Mobile
Follow these steps in order. Each step isolates one possible cause. Do not skip steps.
- Check the exact block message in Outlook
Open Outlook on the mobile device. Read the full block message. It often includes a specific reason such as “Device is not compliant” or “App is not managed.” Take a screenshot of the message. This message tells you which policy condition failed. - Open the Company Portal app and verify device enrollment
Open the Microsoft Intune Company Portal app. Tap Devices and select your device. Look for the device compliance status. If the status is “Not compliant” or “Not enrolled,” the device must be enrolled or made compliant. Tap Check settings or Sync to force a refresh. If Company Portal is missing, download it from the Apple App Store or Google Play Store. - Check Outlook app policy status in Settings
In Outlook, tap your profile picture or the Settings gear icon. Go to Security or Privacy. Look for an option called Intune policy status or Managed apps. Tap it. You will see one of three statuses: Policy applied, Policy pending, or Policy not applied. If the status is Policy not applied, the policy assignment is missing or blocked. - Sign out and sign back into Outlook
In Outlook, go to Settings > Accounts. Select your work account. Tap Delete Account. Restart the Outlook app. Add the account again. This forces a fresh policy check. If the block persists, move to the next step. - Force a policy sync from the Company Portal app
Open Company Portal. Tap Devices and select your device. Tap the Sync button or Check settings. Wait 30 seconds. Open Outlook again. A sync forces Intune to re-evaluate policies on the device. - Check Intune admin center for policy assignment
An IT admin must perform this step. Sign in to the Microsoft Intune admin center at endpoint.microsoft.com. Go to Apps > App protection policies. Select the policy that targets Outlook. Under User status, search for the affected user. Check if the policy status is Applied or Not applied. If Not applied, review the policy assignment groups and device platform settings. - Verify Outlook is a managed app in Intune
In the Intune admin center, go to Apps > All apps. Search for Microsoft Outlook. If Outlook is not listed, add it as a managed app. An unmanaged Outlook app cannot receive policies. Add Outlook from the app store list or upload the app package. - Check for policy conflicts
In the Intune admin center, go to Apps > App protection policies. Review all policies assigned to the user. If the user has two policies with conflicting settings for Outlook, the block may occur. For example, one policy requiring a PIN and another policy requiring no PIN. Remove or adjust conflicting policies. - Update the Outlook app to the latest version
Open the Apple App Store or Google Play Store. Search for Microsoft Outlook. If an update is available, install it. Outdated versions of Outlook may not support the latest Intune policy enforcement rules. - Reinstall the Company Portal app
Delete the Company Portal app from the device. Restart the device. Download and install Company Portal again. Sign in with the work account. This clears any corrupted local enrollment data.
If Outlook Still Shows a Block After the Main Fix
Outlook shows “App is not managed” after policy sync
This error means Intune does not recognize the Outlook app instance. On Android, this can happen if the device has multiple Outlook apps installed, such as the personal version and the managed version. Uninstall all versions of Outlook. Install only the version from the Play Store that is listed as managed by Intune. On iOS, ensure the app was downloaded from the Apple App Store under the managed Apple ID, not a personal Apple ID.
Outlook blocks access after a device factory reset
A factory reset removes the device from Intune enrollment. After reset, the user must re-enroll the device in Company Portal before Outlook can apply policies. Open Company Portal, tap Begin, and follow the enrollment prompts. After enrollment, sync the device and open Outlook. The block should clear within one minute.
Block message appears only on Wi-Fi but not on cellular
This symptom points to a network-level block, not an Intune policy issue. The organization may be using a firewall or proxy that blocks Outlook traffic. Check with the IT team to confirm that the Outlook mobile endpoints are allowed on the Wi-Fi network. Intune policies do not change behavior based on network type.
Intune Policy Block Diagnosis Methods Compared
| Item | Device-side check | Admin-side check |
|---|---|---|
| Speed | Instant results on the device | Requires signing into admin center |
| Required access | User must have Outlook and Company Portal | Admin must have Intune Administrator role |
| Information provided | Shows policy applied or not applied | Shows exact policy version and conflict details |
| Best for | Quick self-diagnosis by the user | Root cause analysis for recurring blocks |
| Limitation | Cannot see policy conflicts | Requires user-specific search |
You can now diagnose an Intune App Protection Policy block in Outlook Mobile by checking the device enrollment, the Outlook policy status, and the Intune admin center. If the block persists after these steps, use the Outlook security logs in the admin center to review the exact policy failure reason. An advanced tip is to enable Intune diagnostic logs on the device by going to Company Portal > Settings > Diagnostic data and sending the logs to your IT team for analysis.