[UPDATE 23/11/16] Microsoft have announced a new method of doing what I describe in this blog post.  Matt Shadbolt from the Intune Engineering team has a nice blog post that describe how to use this new process, based on Intune MAM policies.  The below information is still useful though if you want to do more specific restrictions (e.g. iOS vs Android native clients).

What is Intune Conditional Access?

Intune Conditional Access is a pretty neat feature that allows administrators to enforce compliance policies to devices prior to allowing them access to sync their mail with Exchange Online.   The requirements and process required to implement his feature is quite well documented within Microsoft’s TechNet library:  Manage email access with Microsoft Intune

In short, what is happening is Microsoft Intune becomes an additional ‘gate’ that’s sits in front of Exchange Online (or Exchange On-Prem via a connector) that requires devices to provide information on its state (e.g. is it registered, managed or compliant) before being allowed through as part of the authentication process.   In its current state, this conditional access feature, for Exchange Online, can supports ‘controlling’ access for clients on mobile devices (i.e. ActiveSync), while for PCs (i.e. Outlook Desktop) and browser based access (i.e. OWA) this is currently in preview.

How Intune Conditional Access works with Mobile Devices with ActiveSync

For mobile devices, ActiveSync is the primary protocol that is used to communicate with Exchange Online and sync the mail to the devices, however it must be noted that there are some variations to how the ActiveSync protocol is implemented.  Most users are familiar with what we call the ‘Native mail client’ on iOS and Android devices and more recently now the Outlook for iOS/Android App.  While both of these utilise ActiveSync, the defining feature of the Outlook App is that it also supports Modern Authentication which is important for the purposes of this blog.   Pretty much all other mail clients utilise ActiveSync with ‘Basic’ authentication which, in simple terms means that they only know to send the username/password to Exchange Online and expect to be let through.  They certainly don’t understand the concept of ‘device compliance’ tokens and other features like Multi-Factor Authentication.

To work around this, Intune Conditional Access takes over and leverages the ActiveSync policies feature of Exchange Online to quarantine these “legacy” ActiveSync clients after they have configured their mail profile and injects a fake email into their inbox indicating that they’ve detected the device as being unmanaged and hence does not meet compliance policies to satisfy the conditional access requirements.  This email then directs the user to enrol and uplift their device to meet the compliancy policy (e.g. PIN locked, not jail broken etc.) before they are allowed to sync.

ActiveSyncEmail

The key take-away from this is that Intune Conditional Access is tightly integrated with the ‘Active Sync Policies’ feature of Exchange Online

For applications that support Modern Authentication however (i.e. Outlook app), the process is a bit more elegant in that the device compliance (and subsequent enrolment processes) are all performed as part of the authentication / sign in procedure.  This is also the same process where MFA prompts can also be initiated.

ModernAuthAppEnrol         MFA

How to enforce the Outlook App when Intune Conditional Access is used

With that bit of backstory covered off, we can now proceed to explain how you would go about configuring the enforcement of the use of the Outlook App with Intune Conditional Access.  There are numerous reasons why you might want to enforce the use of the Outlook App, but some of the key reasons we often see are:

  • ActiveSync mail clients do not support ‘Selective Wipe’ if the email profile is not managed by Intune.  Intune can only manage iOS native mail app profiles.  This leaves Android and third party apps open to data leakage if an employee departs the company with a BYOD device for example (and thus a full wipe is not allowed)
  • ActiveSync mail clients using ‘basic authentication’ cannot support Multi Factor Authentication and thus must use the less secure ‘app passwords’ approach
  • Only the Outlook App, to date, supports Mobile Application Management (MAM) Intune policies, which is a feature that provides Data Loss Protection functionality by keeping company data within ‘managed’ apps

Within Intune, the below image shows what the standard conditional access policy configuration would look like:

IntuneConditionalAccess-ActiveSyncApps

The section highlighted in green is what triggers all ‘Modern Auth’ applications to abide by Intune’s Conditional Access rules.  This includes Outlook for desktop and the Outlook for iOS/Android app.  The section highlighted in red is what controls Intune Conditional Access for all the ‘legacy’ ActiveSync mail clients (i.e. your native mail clients and third party apps).  In order to enforce the use of the Outlook app, we actually have to disable Intune Conditional Access for Exchange ActiveSync apps that use basic authentication.

This may seem weird, but the reason we are doing this is because in order to control what specific ActiveSync clients are allowed to connect to Exchange Online we have to use the Exchange Active Sync Policies feature.  Specifically, we have to configure the Access Rules to block all device families and only allow the Outlook App device family, like below:

ExchangeActiveSyncRules

As noted earlier, when Intune Conditional Access is in play, it actually leverages and takes ownership of this feature, and thus any rules you have configured through that are ignored if the user falls within management under Intune and that conditional access policy is enabled.  So, in effect what we are doing is this:

  1. Enable Intune Conditional Access, but only for ‘Modern Authentication’ Apps.  Do not perform the conditional access checks for ‘legacy’ ActiveSync clients
  2. Configure Exchange Online to block all ActiveSync device clients except the Outlook app

The net effect of doing this is as follows:

  • ‘Legacy’ ActiveSync clients will successfully authenticate but their mail synching is blocked by the access rules configured within Exchange Online
  • Outlook App clients, even though they are still using ActiveSync, still abide by Intune Conditional Access policies because they are using Modern Auth and can successfully connect to Exchange Online after they meet compliance

The next challenge of course is then convincing all your users to stop using their Native Mail Client (or their preferred third party app) and use the Outlook app instead, but that’s a post for another day 🙂

Category:
Exchange, Identity and Access Management, Office 365
Tags:
, , ,

Join the conversation! 25 Comments

  1. Great article – do you know if Conditional Access for Outlook app also works with Intune Hybrid with an On-Premise Exchange? Thanks

    • Hi Mike,

      Yes – Intune Conditional Access works with On-Prem Exchange if you use the connector. Effectively, the connector provides that ‘gate’ functionality into your on-prem exchange environment.

      Regards,
      Dave.

      • No, when using for Exchange on-premises scenario conditional access policy works only with native ActiveSync clients and doesn’t support the Outlook App.

      • Apologies all! Vinu is correct – as it turns out the Outlook App doesn’t support (for now) the on-premises conditional access policy scenario, as detailed here:https://docs.microsoft.com/en-au/intune/deploy-use/restrict-access-to-exchange-onpremises-with-microsoft-intune (under the ‘note’ section).

        Now, I’m not sure if this means the Outlook app doesn’t work at all when conditional access is enabled, or whether it simply ignores the conditional access policies. One of my team members is actually in the midst of testing and trying this out – so we’ll post back the results once we found out – or if someone already knows the answer to this, please let us know!

  2. This is exactly what I am trying to accomplish within my organization, however it is not working for me. Do you know if this works when Intune is integrated with Microsoft System Center? My Intune Policy page looks different than your screenshots.

    • Hi Eric,

      I haven’t personally tried it with integration with Microsoft System Center, so I can’t be sure – but in theory I don’t see why it shouldn’t work.

      Your policy page is likely different to mine because you don’t have PC Conditional Access enabled – this is currently ‘in preview’ while they’re aligning their platform across multiple products to get this to GA level. However you should still be able to do the above even without PC conditional access.

      Regards,
      Dave.

  3. Thanks for this post. It provides the kind of clarity I needed to get this working correctly. On a related note, have you seen any issues with the reporting in Intune after the Exchange Service to Service connector sync runs? I’m having an issue where after the sync my outlook app ipad users are showing up as 2nd device and non-compliant with Android OS. Very strange reporting issue.

  4. “Intune can only manage iOS native mail app profiles”

    Samsung KNOX can also have managed email profiles as well as certain Windows devices per this: https://docs.microsoft.com/en-us/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune

    Thanks for the helpful write-up!

  5. There’s something I don’t understand in this setup (although I’ve tested it and it is correct, I just don’t understand why):

    As per this part of your article, we have to set the default to block and then create a rule to allow Outlook:

    “This may seem weird, but the reason we are doing this is because in order to control what specific ActiveSync clients are allowed to connect to Exchange Online we have to use the Exchange Active Sync Policies feature. Specifically, we have to configure the Access Rules to block all device families and only allow the Outlook App device family, like below”

    But then, as per the following, we state that Intune would ignore any rules if the user is under Intune management:

    “As noted earlier, when Intune Conditional Access is in play, it actually leverages and takes ownership of this feature, and thus any rules you have configured through that are ignored if the user falls within management under Intune and that conditional access policy is enabled.”

    My question is therefore why we need the rule to allow Outlook for Android/iOS? If Intune takes over the feature, as you mention above, and would allow normal ActiveSync clients to bypass the “block” rule, why doesn’t it do the same for the modern auth client? As a test I set the default to block in my tenant, had no device rules in place set the “Block non-compliant devices on platforms supported by Intune” under the “Exchange Activesync devices that use basic authentication” section. Outlook Android was blocked (even though using modern auth) but GMail (using ActiveSync) was allowed as soon as I enrolled the device. This would imply that Intune takes over the feature (as in overrides) the device access policies only for basic auth applications but not for modern auth ones. Then, as per your article, creating a rule to allow device type “Android” stopped it being blocked. Why was this necessary to allow modern auth apps when it wasn’t for basic auth apps?

    Thanks
    Dae

    • Hi Dae,

      You shouldn’t need to create any device access rules to allow Modern Auth Apps to work. What you described is actually not what I would have expected. Once you have “Block non-compliant devices on platforms supported by Intune”, then those device access rules should not have an impact.

      If you had ‘outlook and other modern apps’ enabled for your supported platforms in conditional access – they would have dictated that the modern atuh apps require enrollment to work, and they would have triggered as part of sign on. When you mentioned your outlook app is being blocked until you added that device rule, was it being blocked after enrollment or before? Do those outlook clients show up as ‘compliant’ in the intune portal?

      Regards,
      Dave.

      • So I have the Exchange Global access rule set to block and there are no platform exceptions. Modern auth is enabled in Exchange Online. The Exchange Connector to Exchange online from Intune is configured.

        In the Policies area I have a compliance policy which only contains “require PIN” to keep things simple. Under Conditional Acces in Exchange Online policy I have “enable conditional access”, “All Platforms”, “Block non-compliant devices on platforms supported by Intune” and “Block all other devices on platforms not supported by Intune” selected. This is targeted at all users with no exceptions.

        The behaviour I see on Android (I have no other types available) is that without enrolling both the native GMail and the MS Outlook for Android clients are blocked. If I enrol through the company portal, the GMail client becomes unblock and works. The Android Outlook client though remains blocked over 24 hours later. The only way I can get this to connect is to put in a device rule to allow this client. The device shows as compliant, managed by Intune and AAD registered in the portal.

        I’ve been through the tenant a couple of times, removed all config and re-created it. Same behaviour every time.

        I’m surprised that you say that’s not what you’d expect to happen, as this blog article above talks about creating a device rule for Outlook for Android clients. That’s what gave me the idea and allowed the clients to connect. Unless I’ve mis-understood completely?

  6. Hmm interesting. So yes, it’s unexpected because you have the ‘block non-compliant devices on platforms supported by intune’ policy set to enabled. This is the setting that tells Intune to take ‘ownership’ of the ActiveSync device rules. When that policy is enabled, the device access rules should have no impact at all – this is the reason why in my article I talk about disabling that policy such that you can use those rules.

    I’m unsure why your environment has a different behaviour – but perhaps a workaround you can test is to set the ‘default access rule’ to be ‘allowed’ instead of ‘blocked’. This should then allow all your devices to be allowed through without specific device access rules. As long as your Intune policy is still set, devices will still need to be enrolled (and compliant) to access email.

    • I’ve tested using the default access rule as allowed and that works. Also, my original fix of leaving default at block but creating a device class rule for Outlook for Android works.

      It looks like Intune is over-ruling the ActiveSync device rules for normal ActiveSync apps (as I’ve tried quite a few and all are allowed once the device enrols despite the ActiveSync rule being block),. However, it isn’t for Modern Auth apps (as I can only get Outlook Android/iOS to connect if the default is allow or I create a device model access rule that matches Outlook Android/iOS). I’ve spoken with a couple of friends and they’ve seen exactly the same behaviour in their tenants.

      It’s certainly not the way I figured it would work. I don’t like the idea of the default being allow as if a user isn’t Intune licensed (or somehow not in scope of policy if someone changes it from all users to group membership based) then they’d get in with no problems.

      • Hi Dae,
        Sorry about the delay – that is certianly an interesting change to when I performed this. I am pretty certain that the behaviour your describing now is different to mine – as I distinctly recall testing the exact scenario that you have described. Unfortunately I don’t have access to that original environment anymore and I haven’t had a chance to verify this in my lab. But I would agree with your statement – it certainly is not ideal that you have to set a ‘default allow’ rule to allow modern authentication apps to work!

        I’ll see if I can get some verification of the intention of this behaviour from some Microsoft contacts

      • Dae,
        Can you let me know how you did “put in a device rule to allow this client. “? Did you use/Add a device policy?
        It seems it can be done individually by an android user by “On Android devices, users must enable browser access. To do this, the user must enable the Enable Browser Access option on the enrolled device”,
        However i would rather setup a device policy so that it applies to all users automatically and they do not have to do it manually
        Let me know
        Thank you

  7. I notice that other apps, like One Drive, OneNote, requires to share file using IOS’s contact list. Without Exchange Sync to the native app contact, there seems to be no way to access the global address list and thus provide user unfriendly experience.

    • That’s good feedback Anna. It looks like that would be yet another reason why pushing the ‘outlook only’ as a client could be a end-user challenge!

  8. Great article, really helpful. We are using SCCM with Intune. When the device enrolled in The company portal I see it in SCCM..cool, I get that. Why does my device_Outlook also appear in Intune when I use the Outlook app? Is this expected? We intend to use SCCM for device Mgmt and an “extra” device appearing in Intune was unexpected. Thanks

    • Hi Ben,

      Yes you could say this is ‘expected’ but admittedly it is definitely confusing 🙂

      It’s I believe a hangover of how EXO manages activesync connections – you should see that there is a coloumn called ‘managed by’ and it’s marked as EAS.

      Just ignore those _Outlook device objects for the purposes of device mgmt.

      Regards,
      Dave

  9. Hi Dave,

    I have questions in terms of moving users from On-prem Exchange to O365 who are using the Outlook app. The current policy is set such that the users are able to access emails on Outlook App through Intune. However, once they are moved to O365 they are able to use the same existing policy but the have to re-enroll their device and reconfigure it to work again. Is there anything we can do to ensure a better user experience as we can just change the policy from the backend and the user would just need to enter the user name and password once moved to O365 ? Any help is appreciated.

    Cheers

  10. Hi All,

    I have configured my Exchange Email account in Android Outlook application. Configurations are fine and mails are working..Nut having issues on Calender, am unable to send Email to Meeting invitees getting error “This Action is not allowed by your organization” Not sure what policy i need to change?

    Second one, if i delete invitee on Microsoft Outlook app cancellation email is not going out to invitees.

    Note : Above scenario’s working prefectly on iOS Microsoft Outlook application, issue only on Android MS Outlook app.

    Please help me on this.

  11. Is there a way to allow only intune managed devices to access our corporate email? We dont want any of our users to access our email from their own personal devices. We tried disabling active sync for all users but then the native ios mail app stopped working

    • Hi Adrian, one way you could tackle that is to disable all non standard protocols (IMAP, POP) and allow only MAPI. Following that, create a security policy in Exchange Online that has the “requires managed email profile”. That should block configuration attempts. you’ll then have to push out email profiles from Intune.

Comments are closed.