0-30 minutes, nothing will be asked.
30-60 minutes will be asked to use FaceID.
After 60 minutes, only PIN will be asked.
If we enable FaceID option in the APP Protection Policy, it will not automatically enable the setting "Require Face ID" in Outlook app. Honestly, there is no method to avoid end user changing this setting in this app, because intune doesn't control it.
Based on my understanding, if end user manually enable "Require Face ID" in Outlook app, it is just asked to have once more FaceID.
0-30 minutes will be asked to once FaceID.
30-60 minutes will be asked to twice FaceID.
After 60 minutes, it will be asked first once FaceID and then PIN.
Hope it will clarify something.