User cannot sign into iOS mail app from MDM-enrolled device

This was happening for us as well. You need to have Microsoft Authenticator on the device and follow the fix from this link. Scroll down to "Create a single sign-on app extension configuration policy".

https://learn.microsoft.com/en-us/intune/intune-service/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune?tabs=prereq-intune%2Ccreate-profile-intune

The behavior indicates that Intune/Company Portal is intercepting the native iOS mail profile setup and enforcing enrollment/compliance, but the flow is stuck in a loop instead of completing. From the provided information, there are two common Intune-side causes to check and remediate:

1. Existing (duplicate) email profile blocking the Intune profile
   On iOS/iPadOS, if a user-created email profile exists before enrollment, Intune detects it as a duplicate (same hostname and email address) and blocks deployment of the Intune-managed profile. This results in noncompliance messages and prompts to enroll or fix the device, which can look like the loop being described.

Action:

• On the iPad, remove any manually created mail accounts for this user from Settings → Mail → Accounts.
• Ensure there are no leftover profiles under Settings → General → VPN & Device Management that define an Exchange or email account for this user.
• After removal, trigger a sync from the Company Portal app and allow Intune to deploy the managed email profile. The user should then add or use the account only via the Intune-deployed configuration.

This behavior is documented for iOS/iPadOS: Intune detects an existing duplicate email profile based on hostname and email address, and the user-created profile blocks the Intune-created profile. The Company Portal may state that the user is not compliant and prompt for changes until the user-created profile is removed.

2. Device cap / enrollment state issues causing Company Portal to misbehave
   If the user has reached the device limit or the Company Portal app is out of date/corrupted, the app can present enrollment prompts that do not complete properly.

Actions:

1. In Intune admin center, verify the user has not reached the device limit. If the limit is reached, remove an older device or increase the limit. The user can also remove devices from their side via Company Portal.
2. On the iPad:
   • Uninstall the Intune Company Portal app.
   • In Safari, browse to https://portal.manage.microsoft.com and sign in with the user’s work account to confirm credentials and device visibility.
   • If sign-in works, reinstall Company Portal from the App Store and complete the enrollment/registration flow again.

If the Company Portal was corrupted or out of date, this reinstall and re-enrollment typically clears the “enroll your device” loop.

3. Confirm no OS or jailbreak/compliance blockers

• Confirm the iPad is running a supported iOS/iPadOS version per your Intune policies and that the device is not flagged as jailbroken or compromised in Company Portal. A compromised device will lose access to mail and other resources until reset and re-enrolled.

Once duplicate mail profiles are removed and the Company Portal app is healthy and the device is within the allowed device limit, the user should be able to either:

• Use the Intune-deployed email profile on the native Mail app, or
• Add the account successfully without being redirected back into an enrollment loop.

References:

• Troubleshooting common issues with email profiles in Microsoft Intune
• Troubleshooting device enrollment in Intune
• Company Portal device setting requirements for iOS/iPadOS