In this post, I will show you how to enforce usage of email apps to access Office 365 email. My testing is done with OnePlus 5, I can’t be sure if all Android model behave in the same way.

Requirement:

  • Office 365 licenses
  • EMS or Intune licenses
  • Android device.
  • Device compliance policy configured.

Scenario 1: Allow use any email clients, enforce enroll device to Intune.

In this scenario, users can setup any email clients to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune.

This conditional policy will require the device to be marked as compliant. When the device is not enrolled to Intune (device is not compliant), Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Microsoft Intune Company Portal app and enroll their device in order to access Exchange mail and other resources.

  1. Go to Azure Portal : https://portal.azure.com/
  2. Go to Intune and create new Conditional Access Policy
  3. Fill information as bellow:
    Name: CA – Allow Email Basic and Modern Auth. requried enrolled (Android)
    Assignments – Users and groups: choose user groups that you wish to assign this policy
    Assignments – Cloud apps: Select apps – Office 365 Exchange Online
    Assignments – Conditions: Client apps (preview) – Modern authentication clients, Exchange ActiveSync clients, other clients
    Access controls – Grant: Grant access – Required device to be marked as compliant

     

  4. Enable policy

Scenario 2: Allow setup email but block sync emails, enforce/redirect use Outlook, enforce enroll device to Intune.

In this scenario, users can allow setup Android native email client for Office 365 email. The user will receive an email and will be redirected to download Outlook. When the user setup Outlook, it will enforce the download of the Microsoft Intune Company portal app and guide the user to enroll the device to Intune. The user will not be able to use Android native email client to sync Office 365 emails.

This conditional access policy will require the device to use an approved client app and be marked as compliant, in this case the approved email app is Outlook. If user is using other email client than outlook to access Office 365 Exchange Online, it will enforce usage of  Outlook app and will not allow to sync email. Intune Conditional Access leverages Exchange ActiveSync to quarantine these unapproved clients and sends an email into their inbox indicating that the they need to install Outlook app and enroll their device to access Exchange mail and other resources.

Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook”, only changes are:

Name: CA – Required Modern Auth. email client and enrolled (Android)
Access controls – Grant: Grant access – Require device to be marked as compliant
Access controls – Grant: Grant access – Require approved client app
For multiple controls: Require all the selected controls

 

Scenario 3: Allow usage of only Android native email client, block anything else.

In this scenario, users can setup Android native email client to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune. User cannot access Office 365 email from any other method than native email client with basic authentication.

We will need to create two Conditional Access policies, one for allow Exchange ActiveSync basic authentication, another one for block modern authentication client and other clients.

Conditional Access Policy for allow Exchange ActiveSync basic authentication

Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook”, only changes are:

Name: CA – Allow Email Basic Auth. requried enrolled (Android)
Assignments – Conditions: Client apps (preview) – Exchange ActiveSync clients
Access controls – Grant: Grant access – Require device to be marked as compliant

Conditional Access Policy for block modern authentication clients and other clients

Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook”, only changes are:

Name: CA – Block modern Auth. and other emai clients (Android)
Assignments – Conditions: Client apps (preview) – Modern authentication clients, Other clients
Access controls – Grant: Block access

 

NOTES:

If you have already setup your native email client before you created the Exchange ActiveSync basic authentication Conditional Access policy, you might have to wait 5-6 hours for those settings to apply. At the moment when I was writing this, I couldn’t find a working solution for this matter.

(3541)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Rkast
    Posted at 21:42 March 17, 2018
    Rkast
    Reply
    Author

    Thanks for this breakdown of all conditional access possibilities! The scenario’s are very clear and representative for customers. Maybe also throw in some mfa 🙂

    Does scenario 1 also work for ios native mail cliënt of does it not USD basic auth?

    • Zeng Yinghua
      Posted at 23:35 March 17, 2018
      Zeng Yinghua
      Reply
      Author

      Thanks, sure give some love for MFA. 🙂
      Sorry, I can’t say for sure how it works on iOS, didn’t test it, it’s possible it works as well.

      • Peter
        Posted at 14:20 April 4, 2018
        Peter
        Reply
        Author

        I tested the Exchange active sync basic auth rule from scenario 1 on an iOS device. I regret to say that it doesn’t work. I can still access my corporate email on a non-enrolled iPhone. On my Android device, it works as expected. :-/

        • Zeng Yinghua
          Posted at 20:51 April 4, 2018
          Zeng Yinghua
          Reply
          Author

          Thank you for testing it on iOS device and sharing the result Peter!

        • Thomas
          Posted at 13:03 April 5, 2018
          Thomas
          Reply
          Author

          Ye its weird, i have a client i tested with Outlook before, and it worked like a charm, but now i tested with ActiveSync and you are absolutly right, it doesnt work. But there are no settings that define device in Scenario 1, so why doesnt it affect IOS?

          • Thomas
            Posted at 07:27 April 6, 2018
            Thomas
            Author

            6 Hours later, i got the email in the EAS client that i need to register with Intune to get access on the IOS Device, with no change to scenario 1 configuration, Peter can you confirm that it works with you?

          • Peter
            Posted at 09:12 April 6, 2018
            Peter
            Author

            I also configured the second rule of scenario 1.
            On Android, it works as expected.
            On iOS, on my unenrolled device, I couldn’t access the corporate mail with the native app anymore. I got the message I needed to enroll. So I did. After that, I installed Outlook and was able to read the corporate mail. But I still can’t use the native mail app to read the corporate mail.

          • Thomas
            Posted at 08:17 April 12, 2018
            Thomas
            Author

            Peter, then you must have something wrong elsewhere.. Maybe a compliance policy, or a intune App policy somewhere.

            I have no problems getting the mail on both the native mail client and Outlook app, once i registered the phone.

  • Thomas
    Posted at 10:31 March 19, 2018
    Thomas
    Reply
    Author

    So in essence, using Native client is EAS, and using Outlook App is Mondern Authentication.

    ActiveSync policy works on all devices, as it only looks for the EAS protocol not device., this is what i use for require IOS devices to be registered when in ActiveSync mode.

    • Peter
      Posted at 07:36 April 9, 2018
      Peter
      Reply
      Author

      Thomas,

      It still doesn’t work on my iPhone. I can still access the corporate mail without any problems. On Android, it works as expected.

  • Niles
    Posted at 18:21 July 27, 2018
    Niles
    Reply
    Author

    Though this appears to work on my android phone, I do not get the same verbiage in the dialogs in this article. In fact, it outright tells me that email is blocked. There is nothing saying that I have to install the Microsoft Company Portal app or any link redirected to it. Nor does it redirect me to the Outlook app or link to it.

    Is there a setting that I am missing elsewhere in Azure/Intune to get the verbiage and redirect to show?

    • Zeng Yinghua
      Posted at 11:09 July 30, 2018
      Zeng Yinghua
      Reply
      Author

      Can you tell What configuration do you have now? The setting I mentioned in post “Require device to be marked as compliant”, that requires have “Device compliance” settings configured. I will update my post about that.

  • Niles
    Posted at 11:10 August 1, 2018
    Niles
    Reply
    Author

    Hi Zeng, are you referring to another post “Require device to be marked as compliant”? If so, I am not able to find it on this site.

    I did not have a Device Compliance policy configured for Android device. However, after creating one and only requiring that the device not is rooted, I am still faced with the same message.

    • Zeng Yinghua
      Posted at 12:42 August 1, 2018
      Zeng Yinghua
      Reply
      Author

      Can you tell What conditional access settings do you have now and what scenario are you trying to do? What exactly message did you get about email is blocked? From Android gmail client or outlook or other email client?

  • Niles
    Posted at 12:00 August 2, 2018
    Niles
    Reply
    Author

    Hi Zeng, I am trying to achieve scenario #2. I have configured scenario #1, which appears to be a prerequisite for scenario #2

    Exchange ActiveSync Basic Auth
    Exchange Online Modern Auth (Android)

    The message that I get is as follows,

    “You are receiving this message because your IT department has blocked your email access. This could be due to temporary conditions, like your network location.

    Contact your IT department with any questions or concerns about this mail. This email was automatically generated by Microsoft Exchange.”

    • Zeng Yinghua
      Posted at 14:44 August 2, 2018
      Zeng Yinghua
      Reply
      Author

      Hello, I updated my post since there are new features came not long time ago. I test all my scenarios, they all still works. Will you read it again and make sure not any other CA policy blocking it? Please let me know the result. If still not working for you, please let me know, I will contact you then via email. Thanks.

      • Niles
        Posted at 11:00 August 3, 2018
        Niles
        Reply
        Author

        Bingo! It is now working as per your post. You were correct, there was another policy impacting the expected results. I had a CA policy that was set on my test account that would (should) prevent access from certain regions. Not sure why this CA was impacting your scenarios. I will have to revisit that CA in greater details.

        In any event, thank you very much for your help in this regard. 🙂

  • Emotino
    Posted at 20:33 September 13, 2018
    Emotino
    Reply
    Author

    Since a couple of weeks i had some issues in SCENARIO 1: ALLOW USE ANY EMAIL CLIENTS. Outlook app works good. But if i want to use an android app GMAIL (android for work app) i got the message: “Action required to access your organization’s email on your mobile.” Is there any workaround how i can still use the app GMAIL in the Android for Work? Or is there any changes in GMAIL / Intune ?

    • Zeng Yinghua
      Posted at 20:20 September 18, 2018
      Zeng Yinghua
      Reply
      Author

      Hello Emotino, sorry for the delay. I have been testing this, and seems it’s no longer work in Scenario 1 when using Android Enterprise. It still works if not use Android Enterprise. I don’t what has changed, last time when I tested, it was still working.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.