In Part 1 I described the Conditional Access scenario where you want to combine both Device and App Conditional Access for a single user. This series of blog posts is focusing on the Exchange Online. The first post of the series described how to configure Conditional Access to enforce MFA on accessing Exchange Online through for browser access and how to enforce a compliant device for Exchange Online ActiveSync. In this part I want to focus on configuring Conditional Access for the Exchange Online Apps. I want to achieve the following: when the device is MDM enrolled MAM with Enrollment should be applied on MAM capable apps and on these devices the user should be able to configure apps which are using ActiveSync (like the Inbox mailapps on Android and iOS). On devices which are not MDM enrolled the user should only be able to configure the Outlook App for Exchange Online. When the device is not MDM enrolled the user is not allowed to use and configure non-MAM capable apps. My ultimate goal is to provide these scenarios for each of the platforms: Windows, Android and iOS.
Updated blogpost on this topic can be found here
Let’s start with configuring a Device Conditional Access policy for Exchange Apps:
- Go to the Azure Portal and open the Azure Active Directory section. Go to Conditional Access and click on New Policy
- Give the Policy a Name. In the Users and Groups section select All Users and click on Done
- In the Cloud Apps section select Exchange Online and click on Done
- In the Conditions section select All Device platforms and only the Mobile Apps and Desktop Clients as Client App
- In the Access Controls section select Require device to be marked as compliant:
- Select Enable Policy -> On and Save the policy
- Next step is to create the MAM Policy and configure App- Based Conditional Access policy. In the portal go to the Intune App Protection section
- In the menu choose App Policy and click on Create Policy and enter a Name for the Policy
- Choose Android as platform and choose Outlook in the App section (for this scenario we only need the Outlook app)
- In the Settings section select the settings which need to be applied on the App based on your compony security policy.
- When all settings are configured save the policy and assign it to a group of users;
- The last configuration step is configuring App Based Conditional Access. In the Intune App Protection menu go to the Exchange Online Conditional Access section:
- In our scenario we want to only allow apps that support Intune App policies. Select this option and click on Save:
- The last configuration step is to assign this policy to the same user group as used in the App Policy created in step 8.
With this configuration let’s check how the devices. Small note before we start: To configure MAM without enrollment you need to install the Company Portal app on Android and the Authenticator app on iOS:
As you can see we’re not able to configure the Oulook app without enrollment because Device Based Conditional Access is enforcing enrollment. So the short conclusion is:
It’s not possible to configure both Device and App Conditional Access for the same platforms. So you’ve to choose between Device and App based Conditional Access.
To continue I will exclude the Android and iOS platforms from the Device Based Conditional Access policy for Apps. So the platforms section will look like:
Now let’s see what will happen when we try to configure Exchange Online in the Outlook App without enrolling the device:
During the configuration of the Outlook App the App now asks me to configure my device:
Now the Outlook App is configured and also in the portal the MAM enrollment is visible:
Now let’s do a final check that we can still configure ActiveSync and the Oulook app from an MDM enrolled Android Device:
Basically this message is telling me that only the Outlook App is allowed for accessing Exchange email. The conclusion is that App Conditional Access always enforces an app which supports Intune MAM policies. This is also described in this documentation article: https://docs.microsoft.com/en-us/intune-classic/deploy-use/mam-ca-for-exchange-online#create-an-exchange-online-policy. Based on this documentation and the tests your company need to make a decision between:
- Allow both ActiveSync and the Outlook app for MDM enrolled devices and don’t allow Exchange Online App access for not MDM enrolled devices;
- Allow only the use of the Outlook App (or other Intune App policies compatible apps) for both MDM enrolled and not enrolled devices;
- Let the user choose between the above options.
In the next blogpost I will show you how to create the configuration allowing the user to choose between the options.