How to enforce usage of email apps on Android with Microsoft Intune
At first, thanks for Gerry Hampson’s and Jan Ketil Skanke’s challenges and tips about this topic.
In this post, I will show you how to enforce usage of email apps to access Office 365 email. My testing is done with OnePlus 5, I can’t be sure if all Android model behave in the same way.
- Scenario 1: Allow use both Android native email client or Outlook app, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune.
- Scenario 2: Allow setup Android native email client but block sync emails, enforce/redirect use Outlook app. When setup email in Outlook, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune.
- Scenario 3: Allow usage of Android native email client only, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune. Block anything else.
Scenario 1: Allow both Android native email client or Outlook, enforce enroll device to Intune.
In this scenario, users can setup Android native email client or Outlook app to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune.
We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:
Conditional Access Policy for Exchange ActiveSync basic authentication
This is to control Exchange ActiveSync basic authentication, example Android native client. If a user is using native client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant. When the device is not enrolled to Intune (device is not compliant), Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Microsoft Intune Company Portal app and enroll their device in order to access Exchange mail and other resources.
- Go to Azure Portal : https://portal.azure.com/
- Go to Intune and create new Conditional Access Policy
- Fill information as bellow:
Name: Exchange ActiveSync basic Auth
Assignments – Users and groups: choose user groups that you wish to assign this policy
Assignments – Cloud apps: Select apps – Office 365 Exchange Online
Assignments – Conditions: Client apps – Exchange ActiveSync
Access controls – Grant: Grant access – Required device to be marked as compliant
-
Enable policy
Conditional Access Policy for Exchange Online modern authentication
This is to control Exchange Online modern authentication. By configuring these settings as following, it will require the device to be enrolled to Intune and the usage of Outlook app to access Office 365 email. This setting doesn’t conflict with the basic authentication Condition Access policy, because it is using modern authentication.
- Go to Azure Portal : https://portal.azure.com/
- Go to Intune and create new Conditional Access Policy
- Fill information as bellow:
Name: Exchange Online Modern Auth (Android)
Assignments – Users and groups: choose user groups that you wish to assign this policy
Assignments – Cloud apps: Select apps – Office 365 Exchange Online
Assignments – Conditions: Device platforms – Select device platforms – Android
Access controls – Grant: Grant access – Require device to be marked as compliant
Access controls – Grant: Grant access – Require approved client apps
For multiple controls: Require all the selected controls - Enable policy
Scenario 2: Allow setup Android native email client but block sync emails, enforce/redirect use Outlook, enforce enroll device to Intune.
In this scenario, users can allow setup Android native email client for Office 365 email. The user will receive an email and will be redirected to download Outlook. When the user setup Outlook, it will enforce the download of the Microsoft Intune Company portal app and guide the user to enroll the device to Intune. The user will not be able to use Android native email client to sync Office 365 emails.
We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online with modern authentication:
Conditional Access Policy for Exchange ActiveSync basic authentication
This is to control Exchange ActiveSync basic authentication, example Android native client. If the user is using the native email client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant and will require use an approved client app, in this case the approved email app is Outlook, so it will enforce usage of Outlook app and will not allow to sync email with Android native email client. Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Outlook app and enroll their device to access Exchange mail and other resources.Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups.
The only changes are:
Access controls – Grant: Grant access – Require device to be marked as compliant
Access controls – Grant: Grant access – Require approved client apps
For multiple controls: Require all the selected controls
Conditional Access Policy for Exchange Online Modern authentication
Configurations are same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online modern authentication” setups
Scenario 3: Allow usage of only Android native email client, block anything else.
In this scenario, users can setup Android native email client to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune. User cannot access Office 365 email from any other method than native email client with basic authentication.
We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:
Conditional Access Policy for Exchange ActiveSync basic authentication
Configurations are the same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups
Conditional Access Policy for Exchange Online modern authentication
Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online Modern authentication” setups.
Only changes is:
Access controls – Grant: Block access
NOTES:
If you have already setup your native email client before you created the Exchange ActiveSync basic authentication Conditional Access policy, you might have to wait 5-6 hours for those settings to apply. At the moment when I was writing this, I couldn’t find a working solution for this matter.
(1194)

Rkast
Thanks for this breakdown of all conditional access possibilities! The scenario’s are very clear and representative for customers. Maybe also throw in some mfa 🙂
Does scenario 1 also work for ios native mail cliënt of does it not USD basic auth?
Zeng Yinghua
Thanks, sure give some love for MFA. 🙂
Sorry, I can’t say for sure how it works on iOS, didn’t test it, it’s possible it works as well.
Peter
I tested the Exchange active sync basic auth rule from scenario 1 on an iOS device. I regret to say that it doesn’t work. I can still access my corporate email on a non-enrolled iPhone. On my Android device, it works as expected. :-/
Zeng Yinghua
Thank you for testing it on iOS device and sharing the result Peter!
Thomas
Ye its weird, i have a client i tested with Outlook before, and it worked like a charm, but now i tested with ActiveSync and you are absolutly right, it doesnt work. But there are no settings that define device in Scenario 1, so why doesnt it affect IOS?
Thomas
6 Hours later, i got the email in the EAS client that i need to register with Intune to get access on the IOS Device, with no change to scenario 1 configuration, Peter can you confirm that it works with you?
Peter
I also configured the second rule of scenario 1.
On Android, it works as expected.
On iOS, on my unenrolled device, I couldn’t access the corporate mail with the native app anymore. I got the message I needed to enroll. So I did. After that, I installed Outlook and was able to read the corporate mail. But I still can’t use the native mail app to read the corporate mail.
Thomas
Peter, then you must have something wrong elsewhere.. Maybe a compliance policy, or a intune App policy somewhere.
I have no problems getting the mail on both the native mail client and Outlook app, once i registered the phone.
Thomas
So in essence, using Native client is EAS, and using Outlook App is Mondern Authentication.
ActiveSync policy works on all devices, as it only looks for the EAS protocol not device., this is what i use for require IOS devices to be registered when in ActiveSync mode.
Peter
Thomas,
It still doesn’t work on my iPhone. I can still access the corporate mail without any problems. On Android, it works as expected.