Troubleshoot application protection policy issues

  • 5 minutes

Troubleshooting App Protection Policies (APP) requires a different mindset than traditional Mobile Device Management (MDM). Because APP targets the user's identity and the application container—rather than the physical operating system—standard device syncs and hardware logs often don't reveal the problem.

If a user reports that they can freely copy corporate data to their personal apps, or conversely, that they're completely locked out of Outlook, follow this structured troubleshooting methodology.

Verify the configuration of MAM

Before digging into logs, ensure the absolute baseline requirements for App Protection are met. If any of these four conditions are missing, the policy silently fails to apply:

  1. The user must be licensed: The user needs a valid license that includes Microsoft Intune (for example, EMS E3/E5, Microsoft 365 E3/E5).
  2. The user must be targeted: APP must be assigned to a user group, not a device group.
  3. The app must be supported: The policy only applies to MAM-enlightened apps (like Microsoft Outlook, Edge, or Teams). It never applies to native OS apps like Apple Mail or the default Android email client.
  4. The corporate identity must be active: The policy only activates when the user signs into the app using their corporate Microsoft Entra ID credentials. If they add a personal email account to the same Outlook app, the policy actively ignores that session.

Infrastructure troubleshooting (Intune admin center)

If the basics are covered, your next step is to see what the Intune backend is reporting for that specific user.

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Troubleshooting + support > Troubleshoot.
  3. Search for and select the affected user.
  4. Scroll down to the App protection status section.

What to look for:

  • Is the app listed? If the user is complaining about Outlook, but Outlook isn't listed under their protected apps, the app has never successfully checked in with the MAM service.
  • Check the policy name: Ensure the correct policy is actually targeting them.
  • Check the device state: Look at the "Device Type" column. Is Intune recognizing the device as Managed or Unmanaged? If you configured your policy to only apply to "Unmanaged" devices, but Intune sees the device as "Managed," the policy bypasses the device entirely.

Client-side troubleshooting (on the device)

If Intune says the policy is applied, but the user insists they can still copy and paste data, the Intune service and the local app might be out of sync. You can pull diagnostic data directly from the user's device.

Microsoft Edge has a hidden diagnostic page built specifically for Intune administrators.

  1. Have the user open the managed Microsoft Edge app on their mobile device.
  2. In the URL bar, type about:intunehelp (or edge://intunehelp) and select Go.
  3. This action opens the Intune Diagnostics screen. Here, the user can:
    • Tap View Intune App Status to see exactly which policies are currently cached on the device.
    • Tap Get Started under Troubleshooting to package the MAM logs and email them directly to your IT helpdesk for deeper analysis.

Using Microsoft Outlook for iOS/Android

  1. Have the user open the Outlook app.
  2. Tap their profile icon > Settings (the gear icon) > Help & Feedback.
  3. Select Collect Diagnostics. This action forces the app to bundle its logs and provides an Incident ID you can use if you need to open a premier support ticket with Microsoft.

Common misconfigurations

If you're still stuck, review your policy configurations for these frequent administrator errors:

  • The "most restrictive" conflict: If a user belongs to two different groups (for example, "All Employees" and "Executive Team"), and both groups are assigned an App Protection Policy for iOS, Intune merges the policies. However, in the event of a conflict, Intune always applies the most restrictive setting. If the executive policy disables the App PIN, but the employee policy requires it, the PIN is required.
  • Missing Conditional Access: If you built a great App Protection Policy but users are still leaking data, check Microsoft Entra ID. Are users simply bypassing your protected Outlook app and signing into the native iOS Mail app instead? You must configure a Conditional Access policy with the Require app protection policy grant control to close that backdoor.
  • Incorrect app targeting: If you configured a strict policy for Microsoft Word but forgot to add Microsoft Excel to the "Public apps" list within the policy settings, users can exfiltrate data whenever they open a spreadsheet.