Our school uses Entra ID (Azure AD) federated with Google for Education so staff and students can sign in once and have Gmail auto-provision on their Android phones. Until last week everything ran flawlessly; now every Droid, from Android 10 through 12 and beyond, refuses to add the Google account and throws the exact prompt “Action required for Google Play Services.” Or forces Intune that we don't want. no settings on either platform, so I need someone who lives and breathes Azure AD / AD FS-style federation with Google Workspace to: • trace what broke in the trust or token flow, • restore seamless Gmail enrolment on Android, and • leave me with a short write-up so I understand the fix. You’ll have temporary admin access to both Entra and the Google Admin Console; I can reproduce the issue on multiple devices if you need logs or screen shares. Once Gmail adds successfully on at least one test handset per OS version, I’ll sign off.