One of our customers recently migrated from a third‑party MDM to Microsoft Intune (BYOD) using MAM-only app protection policies. Shortly after go‑live, user reported on iOS began seeing the following message in Microsoft Teams and other Intune-managed apps:
Alert: Your organization will remove its data for this account (614).
To access data for this account, you should restart this app and sign in to your work or school account.
Troubleshooting Steps performed by the user:
The user attempted the standard iOS device-side fixes:
- Restarted the affected apps
- Restarted the device
- Uninstalled and reinstalled Teams
- Followed guidance from Microsoft documentation:
- Error: “Your organization has removed the data associated with this app”
(Microsoft Support Article) https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/removed-data-associated-with-app-error and https://techcommunity.microsoft.com/blog/intunecustomersuccess/resolved---support-tip-occasionally-occurring-with-ios-mam-and-office-apps/2617909
- Error: “Your organization has removed the data associated with this app”
None of these steps stopped the 614 loop.
Deeper Investigation — Reviewing Entra Sign‑In Logs
To pinpoint the issue, I reviewed the user’s Entra ID → Sign‑in logs.
Immediately, multiple failures appeared—specifically associated with Microsoft Authenticator
- Intune MAM-protected apps attempting to authenticate
The Conditional Access portion of the logs clearly indicated authenticator-related failures, which aligned with known MAM loops on iOS.
This helped confirm that the issue was not with the apps themselves, but with Authenticator as the broker.
Why iOS Authenticator Is Critical for Intune MAM + App-Based Conditional Access
When using MAM-only + Conditional Access requiring device registration, iOS relies heavily on Microsoft Authenticator. Authenticator acts as the broker that handles:
- Device registration for MAM-only users
- Broker session tokens
- App Protection Policy (APP) identity tokens
- SSO token state for Outlook, Teams, OneDrive, etc. https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-mam
If the broker token stored in Authenticator becomes stale, corrupted, or out-of-sync, Intune-managed apps lose the ability to validate policy. As documented by Microsoft, this results in the app assuming the user has been signed out—triggering org data wipe events such as 607/614.
This is exactly what we observed.
Root Cause
In this case, the user’s Authenticator broker token was corrupted. As a result:
- Apps could not complete protected sign-in
- Each app interpreted the failure as a sign-out
- The MAM policy forced an “Org Data Removal” event (error 614)
- The loop repeated endlessly
This aligns with known iOS MAM issues where Authenticator loses its token integrity and causes multiple Office apps to auto‑sign‑out. https://techcommunity.microsoft.com/blog/intunecustomersuccess/resolved---support-tip-occasionally-occurring-with-ios-mam-and-office-apps/2617909
Fix — Reset Broker State in Microsoft Authenticator
To fix the issue, we needed to reset Authenticator’s broker state.
The steps were:
1. Remove the Work Account from Authenticator
- Open Microsoft Authenticator → Work account → Remove account
2. (Optional but recommended) Reset Authenticator’s app state
- In iOS Settings → Authenticator, use Reset/Clear credentials if the option appears
3. Re-open the Intune-managed app
- Open Teams/Outlook/etc.
- The app redirects to Authenticator
- User signs in again
- Device re-registers for app-based CA
- A clean set of broker tokens is generated
This forced Authenticator to rebuild:
- Device registration state
- Broker tokens
- App protection identity tokens
- The SSO session used by Teams/Outlook/OneDrive
This method is the same approach Microsoft recommends for breaking MAM sign-out loops.
Hope you find this article useful.