@Louie, Andy (TIS) , Thanks for the reply. For app-based Conditional Access, it will redirect to broken app. For iOS it is Microsoft Authenticator. Here is a link for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
If we want to try, for the cloud app for email access, I think it can be "office 365" or "Exchange Online".
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
For the Grant field, we can configure "Require approved client app" and "Require app protection policy".
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
Thanks for the understanding and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.