How to configure Microsoft Intune / Azure AD Conditional Access to Microsoft Office 365 Exchange Online

With Microsoft Intune you can do great things. You can enroll all kind of mobile devices to enforce MDM policies, push applications and even configure managed mobile applicaties like the Microsoft Office applications. You can add an additional security layer to these managed applications by applying an additional access pincode and encrypt the data within the applications. Data can be isolated, so it can only be exchanged between other managed apps. In this way you can prevent that users can save email attachments to the local device if they use the management Microsoft Outlook application.

But what makes this all useful if you can just configure mail in an unmanaged native mail client on your iPhone or Android device?

For that, we have the option to configure Conditional Access. With Conditional Access you can control under what conditions the user or device has access to SaaS applications like SharePoint and Exchange Online. The most common Conditional Access policies that I use are;

  • Enforce the user to enroll the device before access to email is granted (any mail client)
  • Enforce the user to use the managed Microsoft Outlook app for email (native mail clients cannot be used to access email anymore)

In this blog I will show you how to configure Conditional Access to Exchange Online. First I will show you how to enforce device enrollment and second how to enforce the use of the Microsoft Outlook application. You must know that in both cases you need to configure two separate Conditional Access to let this fully work! I show you why…

Configuring Conditional Access to enforce device enrollment (Part 1)

The first step for this blog is to create a Conditional Access policy to enforce device enrollment for modern apps (apps that support modern authentication like Microsoft Outlook).

Within the Microsoft Azure Portal, navigate to Intune > Conditional access

Click Policies and click the “+ New policy” button.

Give the new policy a name. For this blog I will give it the name : CA-ExchangeOnline-ModernApps

Under Assignment click Users and groups and select an Azure AD security group if you want to apply this policy to a selected group of users (optional). All users is also an option. Click Done

Click on Cloud apps, click Select apps en search for Office 365 Exchange Online. Click on Select and Done

Select Conditions, and then choose for Client apps. On the right hand side click Select client apps and select both Browser and Mobile apps and desktop clients. Click Done twice.

Under Access controls select Grant. On the right hand side of the screen click Grant access and select Require device to be marked as compliant. Click on Select in the bottom of the screen.

Make sure that Enable policy is set to On and click on Create

Testing the Conditional Access policy to enforce device enrollment (Part 1)

I will now show you what the effect of this policy is on a Apple iPad device within the Microsoft Outlook app and also the native Mail app.

Open the Microsoft Outlook app and click Get Started

Fill in your email address and click Add account

Enter your password and click Sign in

As you can see, the user is forced to Enroll the device before access to email is granted. So far so good…

Let’s do the same test with the native Mail client. Start the Mail app and click Exchange

Fill in your email address and click Next

This is an important step. If you choose for Sign In the modern authorization method will be used with Autodiscovery. If you choose for Configure Manually.. well just like the name says. You have to configure everything yourself without Autodiscovery but also not with modern authorization. We will come back to that later. For now choose Sign In.

Fill in the password en click Sign in

As you can see, this time the user is also enforced to enroll the device, so that’s OK. But what if you hit the Cancel button or if you had chosen Configure Manually in the previous step? Lets find out.. Hit the Cancel button.

Click Ok

Manually fill in the requested information and click Next

Everything is correct

Click Save

And now I have access to my email without enrolling the device. To solve this “problem” we need to configure a second policy.

Configuring Conditional Access to enforce device enrollment (Part 2)

Within the Microsoft Azure portal go back to Intune > Conditional access. Select Policies and click the “+New Policy” botton.

Give the new policy a name. For this blog I will give it the name : CA-ExchangeOnline-EAS

Under Assignment click Users and groups and select an Azure AD security group if you want to apply this policy to a selected group of users (optional) Click Done

Click on Cloud apps, click Select apps en search for Office 365 Exchange Online. Click Select and Done

Select Conditions, and then choose for Client apps. This time select Exchange ActiveSync. Click Done twice.

Under Access controls select Grant. On the right hand side of the screen click Grant access and select Require device to be marked as compliant. Click on Select in the bottom of the screen.

Make sure that Enable policy is set to On and click on Create

Testing the Conditional Access policy to enforce device enrollment (Part 2)

I will now show you what the effect of this policy is on a Apple iPad device within the native Mail app with manual configuration.

Start the native Mail app and click Exchange

Fill in your email address and click Next

Click Configure Manually

Fill in the password en click Next

Fill in the requested information and click Next

Click Save

As you can see, the policy is applied and no mail can be received before enrolling the device.

Configuring Conditional Access to enforce the Microsoft Outlook App (and block the use of the native mail apps)

In the next step I show you how to enforce the use of the (managed) Microsoft Outlook app and blocking the use of any native mail client. If you are using Microsoft Intune and configure Mobile Application Management (MAM) policies to protect company data (like email and documents) this would be the minimum Conditional Access policy to configure.

The steps of this Conditional Access policy are, except for one step, the same as the previously made Conditional Access policies to enforce device enrollment. Therefore, I only show you the setting that is different. Create also two policies for this scenario, one for the modern apps, and one for Exchange ActiveSync! You can also combine the settings into one policy (Enrollment enforcement and Outlook enforcement, but again, you still need to create two policies, one for ModernApps, one for EAS).

Create a new Conditional Access policy (or edit the first one) and walk through the same steps as with the first created CA policy. The only difference is under Access controls. Select Grant. On the right hand side of the screen click Grant access and select Require approved client app. Click on Select in the bottom of the screen and Save. Repeat this step for both policies (EAS and Modern Apps).

Test the Microsoft Outlook Conditional Access enforcement policy

Lets take a look at the results of the second Conditional Access policy.

These are the results when you choose the Sign In option (Autodiscovery) when configuring the native mail client

These are the results when you choose the Configure Manually option when configuring the native mail client.

Conclusion

When using Microsoft Intune to manage mobile devices and manage applications in combination with Microsoft Office 365 / Exchange Online, Conditional Access policies are a very powerful way to protect company email and data. Enforcing the end user to enroll their mobile devices or to force the end user to use a managed version of the Microsoft Outlook mobile app (instead of the unmanaged native mail client) gives the company the power to keep in control of the company data at any time.

11 comments

  • As of late, have you seen an issue where you are able to bypass CA when manually configuring the email profile? At work I can do this on both the native app for iOS and Android and also any third party apps, I have created a new trial account, and can only bypass it with the native email app.

    • Hi Gabriel, Yes. that’s the reason you need to make sure you that you, next to the modern authentication, also have a CA configured specially for Exchange ActiveSync clients.

  • What if someone already has the Client configured? It does not seem to block them if it’s already there

  • hello Robin, i have created the policy but i’m having issues accessing the Outlook app on my chrome browser.
    The device is already marked as compliant but when i open outlook on my browser i get the following error message.

    You can’t get there from here
    This application contains sensitive information and can only be accessed from:
    Devices or client applications that meet Cloud Productivity Solutions Limited management compliance policy.
    Since you’re using Chrome, you need to install this extension. You must be on Windows 10 version 1703 and above. Please click here for details. Alternatively, you can use Microsoft Edge or Internet Explorer to access this application.
    If you’re not planning to do this right now, you might still be able to browse to other Cloud Productivity Solutions Limited sites. Otherwise, sign out to protect your account.
    Sign out and sign in with a different account
    More details

  • Hi Robin, can blocking EAS with Intune and Conditional Access be achieved on iOS without having to install the Microsoft Authenticator app? The end goal is to just have Outlook as the default mail app.

  • Hi Robin!
    A very useful post, but I’m trying to do that with an Android phone Samsung Galaxy Note 9, using native application Samsung mail, but it doesn’t work. Do you know if it’s possible or if a beaviour of the Samsung mail application and I have to use Outlook application on Samsung phone instead the native app.

    Thanks!

    • Hi Wyatt, I had exactly the same situation yesterday by a customer. I made a separate CA policy like described under “Configuring Conditional Access to enforce device enrollment (Part 2)” and then it worked. Did you combine the CA’s into one policy at first try?

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close