You try to sign into Outlook and get an error about access being blocked or authentication failing. This often happens after your IT department enforces a new security rule. The problem is usually a Conditional Access policy that your device or sign-in attempt does not meet. This article explains how to identify the specific policy block and the steps to regain access to your email.
Key Takeaways: Resolving Conditional Access Blocks in Outlook
- Error details on the sign-in screen: The blocked sign-in page often names the specific policy, like “Require compliant device” or “Require approved client app.”
- Microsoft Authenticator app approval: Many policies require you to approve the sign-in attempt via a notification on your registered mobile device.
- Company Portal or Intune enrollment: To satisfy device compliance policies, you must install the Company Portal app and enroll your device with your organization.
Why Conditional Access Policies Block Outlook Sign-In
Modern Authentication is the secure method Outlook uses to connect to Microsoft 365. Conditional Access is a feature that allows IT administrators to set rules, or policies, that must be met before access is granted. These policies are common security requirements, such as needing a company-managed device, using a specific app, or signing in from a trusted location.
When you try to sign in, Azure Active Directory checks your attempt against all active policies. If your attempt fails even one policy—for example, you are using an unapproved email app or your personal phone is not enrolled—access is blocked. The error message you see in Outlook or on the web sign-in page is the direct result of this policy evaluation. The fix involves changing your sign-in method or device state to match what the policy demands.
Common Policy Requirements That Cause Failures
Most blocks come from a few standard policy types. A policy might require multi-factor authentication, which you complete with an authenticator app or a text message code. Another frequent policy is “Require approved client app,” which blocks older mail protocols and may require you to use the official Outlook mobile app instead of a built-in mail client. The “Require compliant device” policy is strict; it means your device must be registered and managed by your company’s mobile device management system, like Microsoft Intune.
Steps to Regain Access and Fix the Authentication Failure
Follow these steps in order. Start by reading the error message carefully, as it often points to the exact solution.
- Read the error message on the sign-in screen
When blocked, a web page opens with an error title and details. Look for the policy name, such as “Require multi-factor authentication” or “Access has been blocked by Conditional Access policy.” Note the exact wording. - Complete a multi-factor authentication challenge
If the policy requires MFA, you will typically get a prompt on your Microsoft Authenticator app. Open the app on your registered phone and approve the sign-in notification. If you use SMS, enter the code sent to your phone. - Install and use an approved client app
For “approved client app” policies, ensure you are using a supported application. On a computer, use the Outlook for Windows desktop app or Outlook on the web. On a mobile device, download the official Outlook app from your device’s app store and add your account there instead of using the native iOS or Android mail client. - Enroll your device for compliance
If the policy requires a compliant device, you must enroll it. On your mobile device, download the “Company Portal” app from the public app store. Open it, sign in with your work account, and follow the prompts to enroll and install any required management profiles. On a Windows 11 or Windows 10 PC, you may need to join the device to Azure Active Directory via Settings > Accounts > Access work or school. - Sign in again from the correct location or network
Some policies restrict access to specific geographic locations or IP ranges. If you are working remotely, you may need to connect to your corporate VPN first before launching Outlook and attempting to sign in again.
Using the Office 365 Portal for Advanced Diagnostics
If the error message is unclear, you can check for more details. Sign in to the Microsoft 365 portal at office.com from a web browser. If that succeeds, go to your account security page. Look for recent sign-in activity; failed attempts may have a link labeled “More details” that provides the Conditional Access policy name that caused the block. This information can help your IT support team resolve the issue faster.
If Outlook Still Has Issues After the Main Fix
“Your organization requires you to use the Outlook app” error on phone
This error appears on iOS or Android when trying to add an account to the built-in Mail app. It is caused by the “Require approved client app” policy. The only fix is to stop using the native mail client. Delete the work account from your device’s mail settings. Then, download the Outlook mobile app from the App Store or Google Play, open it, and add your work email account there. The policy will allow access through the official Outlook app.
Outlook desktop app stuck in an authentication loop
Outlook for Windows may repeatedly open a sign-in window that closes and reopens without success. This often happens when cached credentials are corrupt or a policy change requires a fresh token. Go to Windows Settings > Accounts > Email & accounts. Remove your work account from this list. Then, in Outlook, go to File > Account Settings > Account Settings. Select your account and choose Repair. Follow the new Modern Authentication prompts, ensuring you complete any MFA challenges that appear in your browser.
Access is blocked even after device enrollment
If you enrolled your device in the Company Portal but still get blocked, the device may not be reported as compliant yet. Enrollment and compliance can take several minutes to sync. Open the Company Portal app and check if it shows your device as compliant. If not, there may be pending security requirements, like setting a device passcode or enabling encryption. The app will list these actions. Complete them and wait before trying to sign into Outlook again.
Conditional Access Policy Responses: User Actions
| Policy Requirement | User Action for Personal Device | User Action for Company Device |
|---|---|---|
| Require multi-factor authentication | Approve sign-in via Authenticator app or enter SMS code | Same action; MFA is user-centric |
| Require approved client app | Install and use Outlook mobile app; do not use built-in Mail app | Ensure the approved Outlook desktop or mobile app is installed |
| Require compliant device | Install Company Portal app, enroll device, and meet security settings | Device should be pre-enrolled via Intune; contact IT if not |
| Require Hybrid Azure AD join | Not typically applicable; use company-issued computer | Ensure Windows device is joined to corporate domain and Azure AD |
You can now identify and resolve most Conditional Access blocks that prevent Outlook from connecting. Start by carefully reading the error message presented during sign-in. For ongoing access, keep your registered authenticator app and Company Portal app up to date. An advanced tip is to use the Outlook desktop app’s Connection Status dialog; press Ctrl and right-click the Outlook tray icon, then select Connection Status to see if authentication errors are listed there for deeper diagnosis.