I get 'access denied' when signing into work mail
Conditional Access is a set of rules checking where you come from, on which device, and with which app. One must be off.
Try this first
- 1Read the message carefully. 'Device must be enrolled' = MDM enrolment missing. 'Unknown location' = you are abroad or on a strange network.
- 2Try to clear the Authenticator prompt first; often CA asks for an MFA step you missed.
- 3Working abroad? Tell the admin in advance so they can set a temporary exception.
- 4Non-business apps (e.g. iOS Mail instead of Outlook) are often blocked. Use the Microsoft app.
When to bring us in
Send us the exact error code and timestamp. With those two we find the offending policy in the tenant log within 5 minutes.
See also
- Work and personal apps blur together on the same phoneAndroid Enterprise and iOS-with-Intune can enforce a work profile, isolating business apps in a separate container.
- Setting up Microsoft 365 on a new phoneOutlook, Teams, and OneDrive run smoothest if you install Authenticator first and sign the others in afterwards.
- Moving Authenticator to a new phoneMicrosoft Authenticator has built-in cloud backup. Run it before wiping the old device, otherwise everything has to be re-added by hand.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.