At first, thanks for Gerry Hampson’s and Jan Ketil Skanke’s challenges and tips about this topic.

In this post, I will show you how to enforce usage of email apps to access Office 365 email. My testing is done with OnePlus 5, I can’t be sure if all Android model behave in the same way.

Scenario 1: Allow both Android native email client or Outlook, enforce enroll device to Intune.

In this scenario, users can setup Android native email client or Outlook app to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

This is to control Exchange ActiveSync basic authentication, example Android native client. If a user is using native client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant. When the device is not enrolled to Intune (device is not compliant), Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Microsoft Intune Company Portal app and enroll their device in order to access Exchange mail and other resources.

  1. Go to Azure Portal : https://portal.azure.com/
  2. Go to Intune and create new Conditional Access Policy
  3. Fill information as bellow:
    Name: Exchange ActiveSync basic Auth
    Assignments – Users and groups: choose user groups that you wish to assign this policy
    Assignments – Cloud apps: Select apps – Office 365 Exchange Online
    Assignments – Conditions: Client apps – Exchange ActiveSync
    Access controls – Grant: Grant access – Required device to be marked as compliant

  4. Enable policy

Conditional Access Policy for Exchange Online modern authentication

This is to control Exchange Online modern authentication. By configuring these settings as following, it will require the device to be enrolled to Intune and the usage of Outlook app to access Office 365 email. This setting doesn’t conflict with the basic authentication Condition Access policy, because it is using modern authentication.

  1. Go to Azure Portal : https://portal.azure.com/
  2. Go to Intune and create new Conditional Access Policy
  3. Fill information as bellow:
    Name: Exchange Online Modern Auth (Android)
    Assignments – Users and groups: choose user groups that you wish to assign this policy
    Assignments – Cloud apps: Select apps – Office 365 Exchange Online
    Assignments – Conditions: Device platforms – Select device platforms – Android
    Access controls – Grant: Grant access – Require device to be marked as compliant
    Access controls – Grant: Grant access – Require approved client apps
    For multiple controls: Require all the selected controls

  4. Enable policy

Scenario 2: Allow setup Android native email client but block sync emails, enforce/redirect use Outlook, enforce enroll device to Intune.

In this scenario, users can allow setup Android native email client for Office 365 email. The user will receive an email and will be redirected to download Outlook. When the user setup Outlook, it will enforce the download of the Microsoft Intune Company portal app and guide the user to enroll the device to Intune. The user will not be able to use Android native email client to sync Office 365 emails.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online with modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

This is to control Exchange ActiveSync basic authentication, example Android native client. If the user is using the native email client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant and will require use an approved client app, in this case the approved email app is Outlook, so it will enforce usage of  Outlook app and will not allow to sync email with Android native email client. Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Outlook app and enroll their device to access Exchange mail and other resources.Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups.
The only changes are:

Access controls – Grant: Grant access – Require device to be marked as compliant
Access controls – Grant: Grant access – Require approved client apps
For multiple controls: Require all the selected controls

Conditional Access Policy for Exchange Online Modern authentication

Configurations are same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online modern authentication” setups

Scenario 3: Allow usage of only Android native email client, block anything else.

In this scenario, users can setup Android native email client to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune. User cannot access Office 365 email from any other method than native email client with basic authentication.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

Configurations are the same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups

Conditional Access Policy for Exchange Online modern authentication

Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online Modern authentication” setups.
Only changes is:
Access controls – Grant: Block access

 

NOTES:

If you have already setup your native email client before you created the Exchange ActiveSync basic authentication Conditional Access policy, you might have to wait 5-6 hours for those settings to apply. At the moment when I was writing this, I couldn’t find a working solution for this matter.

(2301)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Rkast
    Posted at 21:42 March 17, 2018
    Rkast
    Reply
    Author

    Thanks for this breakdown of all conditional access possibilities! The scenario’s are very clear and representative for customers. Maybe also throw in some mfa 🙂

    Does scenario 1 also work for ios native mail cliënt of does it not USD basic auth?

    • Zeng Yinghua
      Posted at 23:35 March 17, 2018
      Zeng Yinghua
      Reply
      Author

      Thanks, sure give some love for MFA. 🙂
      Sorry, I can’t say for sure how it works on iOS, didn’t test it, it’s possible it works as well.

      • Peter
        Posted at 14:20 April 4, 2018
        Peter
        Reply
        Author

        I tested the Exchange active sync basic auth rule from scenario 1 on an iOS device. I regret to say that it doesn’t work. I can still access my corporate email on a non-enrolled iPhone. On my Android device, it works as expected. :-/

        • Zeng Yinghua
          Posted at 20:51 April 4, 2018
          Zeng Yinghua
          Reply
          Author

          Thank you for testing it on iOS device and sharing the result Peter!

        • Thomas
          Posted at 13:03 April 5, 2018
          Thomas
          Reply
          Author

          Ye its weird, i have a client i tested with Outlook before, and it worked like a charm, but now i tested with ActiveSync and you are absolutly right, it doesnt work. But there are no settings that define device in Scenario 1, so why doesnt it affect IOS?

          • Thomas
            Posted at 07:27 April 6, 2018
            Thomas
            Author

            6 Hours later, i got the email in the EAS client that i need to register with Intune to get access on the IOS Device, with no change to scenario 1 configuration, Peter can you confirm that it works with you?

          • Peter
            Posted at 09:12 April 6, 2018
            Peter
            Author

            I also configured the second rule of scenario 1.
            On Android, it works as expected.
            On iOS, on my unenrolled device, I couldn’t access the corporate mail with the native app anymore. I got the message I needed to enroll. So I did. After that, I installed Outlook and was able to read the corporate mail. But I still can’t use the native mail app to read the corporate mail.

          • Thomas
            Posted at 08:17 April 12, 2018
            Thomas
            Author

            Peter, then you must have something wrong elsewhere.. Maybe a compliance policy, or a intune App policy somewhere.

            I have no problems getting the mail on both the native mail client and Outlook app, once i registered the phone.

  • Thomas
    Posted at 10:31 March 19, 2018
    Thomas
    Reply
    Author

    So in essence, using Native client is EAS, and using Outlook App is Mondern Authentication.

    ActiveSync policy works on all devices, as it only looks for the EAS protocol not device., this is what i use for require IOS devices to be registered when in ActiveSync mode.

    • Peter
      Posted at 07:36 April 9, 2018
      Peter
      Reply
      Author

      Thomas,

      It still doesn’t work on my iPhone. I can still access the corporate mail without any problems. On Android, it works as expected.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.