Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,
documents, and company resources through their mobile devices. However, the amount of confidential
data that is stored within corporate emails and documents presents a significant security risk for
companies.
You can use conditional access in Intune to help secure email and email data depending on the
conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises
and Exchange Online.
Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more
employees are using their mobile devices to access company resources, including email and email
attachments. As an IT administrator, you want to make sure that company data is protected even when
those mobile devices are not within the company’s physical location.
The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive
protection of corporate email and documents across four layers – Identity, Device, Application, and
Data. Among other capabilities, EMS ensures that employees can access corporate email only from
devices that are managed by Microsoft Intune and compliant with IT policies.
You can implement conditional access by configuring two policy types in Intune:
Compliance policies are optional policies you can deploy to users and devices and evaluate
settings like passcode and encryption. The conditional access policies set in Intune ensure that
the devices can only access email if they are compliant with the compliance policies you set.
If no compliance policy is deployed to a device, then any applicable conditional access policies
will treat the device as compliant.
Conditional access policies are configured for a particular service, and define rules such as
which Azure Active Directory security user groups or Intune user groups will be targeted and
how devices that cannot enroll with Intune will be managed.
Note
Intune groups are not security groups. Rather, they are a collection of users that you can create
by using the Intune admin console.
Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these
once, and they apply to all targeted users.
When devices do not meet the conditions you configure, the user is guided through the process of
enrolling the device and/or fixing the issue that prevents the device from being compliant.
Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, it’s difficult to
determine which combination will best meet the needs of your company. The Mobile Device
Management Design Considerations Guide helps you understand mobile device management design
requirements and details a series of steps and tasks that you can follow to design a solution that best fits
the business and technology needs for your company.
High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed
and compliant devices. Access can be revoked at any time if the device becomes noncompliant.
Specifically, the conditional access policies set in Intune ensure that the devices can only access email if
they are compliant with the compliance policies you set. Actions such as copy and paste or saving to
personal cloud storage services can be restricted using mobile application management policies. Azure
Rights Managements service can be used to ensure that the sensitive email data, and forwarded
attachments, can only be read by intended recipients. The end-user experience is described in more
detail in the End-user Experience section, later in this article.
Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on
conditions you specify.
Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:
The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later
The built-in app for iOS 7.1 and later
The built-in app for Windows Phone 8.1 and later
The mail application on Windows 8.1 and later
The Microsoft Outlook app for Android and iOS (for Exchange Online only)
Before you start using conditional access, ensure that you have the correct requirements in place:
For Exchange Online
Conditional access to Exchange Online supports devices that run:
Windows 8.1 and later (when enrolled with Intune)
Windows 7.0 or later (when domain joined)
Windows Phone 8.1 and later
iOS 7.1 and later
Android 4.0 and later, Samsung Knox Standard 4.0 and later
Additionally, devices must be registered with the Azure Active Directory Device Registration Service
(AAD DRS).
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have
already deployed the ADFS Device Registration Service will not see registered devices in their on-
premises Active Directory.
You must use an Office 365 subscription that includes Exchange Online (such as E3) and users
must be licensed for Exchange Online.
The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft
Exchange Online and helps you manage device information through the Intune console (see
Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need
to use the connector to use compliance policies or conditional access policies, but is required to
run reports that help evaluate the impact of conditional access.
If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the
Office console but are not set as default policies and do not affect devices.
Do not configure the Service to Service Connector if you intend to use conditional access for
both Exchange Online and Exchange on-premises.
For Exchange Server on-premises
Conditional access to Exchange on-premises supports:
Windows 8.1 and later (when enrolled with Intune)
Windows Phone 8 and later
Any iOS device that uses an Exchange ActiveSync (EAS) email client
Android 4 and later.
Note
Additionally:
Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server
(CAS) configuration is supported.
If your Exchange environment is in a CAS server configuration, then you must configure the on-
premises Exchange connector to point to any one of the CAS servers.
Exchange ActiveSync can be configured with certificate based authentication, or user credential
entry.
You must use the on-premises Exchange connector which connects Intune to Microsoft
Exchange Server on-premises. This lets you manage devices through the Intune console (see
Mobile device management with Exchange ActiveSync and Microsoft Intune).
Make sure that you are using the latest version of the on-premises Exchange connector. The on-
premise Exchange connector available to you in the Intune console is specific to your Intune
tenant and cannot be used with any other tenant.
You should also ensure that the exchange connector for your tenant is installed on exactly one
machine and not on multiple machines. If you have a CAS server environment that includes a
mix of machines running both Exchange Server 2010 and 2013, you must configure the
exchange connector to point to the 2013 CAS server.
Deployment Steps for using Exchange on-premises with Intune
Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.
You can only set up one Exchange connection per Intune account. If you try to configure an
additional connection, it will replace the original connection with the new one.
Requirements
To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.
You may have already fulfilled these requirements when you set up Intune.
Requirement More information
Set the Mobile Device Management Authority to Intune Set mobile device management authority
as Microsoft Intune
Verify you have hardware requirements for the on-
premises connector
Requirements for the On-Premises
Connector
Configure a user account with permission to run the
designated list of Windows PowerShell cmdlets
Powershell Cmdlets for On-Premises
Exchange Connector (see below)
Tip
Important
Note
Powershell Cmdlets for On-Premises Exchange Connector: You must create an Active Directory user
account that is used by the Intune Exchange Connector. See Configure Exchange cmdlet permissions for
Windows Intune Exchange Connector for help in configuring the account.
The account must have permission to run the following Exchange Server cmdlets:
Clear-ActiveSyncDevice
Get-ActiveSyncDevice
Get-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncMailboxPolicy
Get-ActiveSyncOrganizationSettings
Get-ExchangeServer
Get-Recipient
Set-ADServerSettings
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncMailboxPolicy
Set-CASMailbox
New-ActiveSyncDeviceAccessRule
New-ActiveSyncMailboxPolicy
Remove-ActiveSyncDevice
1. In the Intune administrator console, choose ADMIN.
2. In the navigation pane, under Mobile Device Management, expand Microsoft Exchange and
then choose Setup Exchange Connection.
3. Choose Download On-Premises Connector.
4. The On-Premises Connector software is contained in a compressed (.zip) folder that can be
opened or saved. In the File Download dialog box, choose Save to store the compressed folder
to a secure location.
Important
Do not rename or move the extracted files or the On-Premises Connector software installation
will not succeed.
5. Extract the files in Exchange_Connector_Setup.zip into a secure location.
6. After the files are extracted, double-click Exchange_Connector_Setup.exe to install the On-
premises Connector.
Important
If the destination folder is not a secure location, you should delete the certificate file
WindowsIntune.accountcert after you install the On-Premises Connector.
7. In the Exchange server field of the Microsoft Intune Exchange Connector window, select On-
premises Exchange Server.
Provide either the server name or fully qualified domain name of the Exchange server
that hosts the Client Access server role.
Provide the credentials of the account that you configured to run the Exchange Server
PowerShell cmdlets.
Provide administrative credentials necessary to send notifications to a user’s Exchange
mailbox. These notifications are configurable via Conditional Access policies using
Intune. For more information on these policies see Enable access to company resources
with Microsoft Intune.
Ensure that the Autodiscover service and Exchange Web Services are configured on the
Exchange Client Access Server. For more information, see Client Access server.
In the Password field, provide the password for this account to enable Intune to access
the Exchange Server.
8. Choose Connect.
It may take a few minutes while the connection is set up. During configuration, the Exchange
Connector stores your proxy settings to enable access to the Internet. If your proxy settings
change, you will have to reconfigure the Exchange Connector in order to apply the updated
proxy settings to the Exchange Connector.
After the Exchange Connector sets up the connection, mobile devices associated with users that are
managed in Intune are automatically synchronized and added to the Microsoft Intune administrator
console. This synchronization may take some time to complete.
To view the status of the connection and the last successful synchronization attempt, in the
Microsoft Intune administrator console choose ADMIN, expand Mobile Device Management, and then
choose Microsoft Exchange.
Step 2: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange
conditional access policy will be targeted to.
In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.
On the Create Policy page, configure the settings you require:
Setting iOS Android Windows
Require a password to
unlock mobile devices
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Allow simple passwords iOS 7 and later Not supported Windows Phone 8
and later
Minimum password
length
iOS 7 and later Android 4.0 and
later
Windows Phone 8
and later
Setting iOS Android Windows
Samsung KNOX
Standard 4.0 and
later
Windows 8.1
Required password type iOS 7 and later Not available Windows Phone 8
and later
Windows RT
Windows RT 8.1
Windows 8.1
Minimum number of
character sets
iOS 7 and later Not available Windows Phone 8
and later
Windows RT
Windows RT 8.1
Windows 8.1
Password quality Not available Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Not available
Minutes of inactivity
before password is
required
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Password expiration
(days)
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Remember password
history
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Prevent reuse of previous
passwords
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Require a password when
the device returns from
Not available Not available Windows 10 Mobile
Setting iOS Android Windows
an idle state
Require encryption on
mobile device
Not applicable Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
Require devices to be
reported as healthy
Not available Not available Windows 10 Mobile
Device must Not be
jailbroken or rooted
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Not available
Email account must be
managed by Intune
iOS 7 and later Not available Not available
Select the email profile
that must be managed by
Intune
iOS 7 and later Not available Not available
Minimum OS required iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
Maximum OS version
allowed
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail
to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number
of character sets is more than 2.
3. When you are finished, choose Save Policy.
You will be given the option to deploy the policy now, or you can choose to deploy it later. The
new policy displays in the Compliance Policies node of the Policy workspace.
4. Set the compliance status validity period
To specify the time the device has to check-in before a device is considered not compliant, go to
To deploy the compliance policy
1. In the Policy workspace, select the policy you want to deploy, then choose Manage
Deployment.
2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy
the policy, then choose Add > OK.
You can deploy to users and/or devices. Use Active Directory groups that you have already
created and synced to Intune, or create these groups manually in the Intune console. For more
information, see Use groups to manage users and devices with Microsoft Intune.
Important
Ensure that you have created and deployed a compliance policy to all devices that the Exchange
conditional access policy will be targeted.
Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with
the policy that require your attention. Additionally, a status summary appears in the Dashboard
workspace.
If you have not deployed a compliance policy and then enable an Exchange conditional access
policy, all targeted devices will be allowed access.
View devices that do not conform to a compliance policy
1. In the Intune administration console, choose Groups > All Devices.
2. Double-click the name of a device in the list of devices.
3. Choose the Policy tab to see a list of the policies for that device.
4. From the Filters drop-down list, select Does not conform to compliance policy.
When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:
If the conflicting settings are from an Intune configuration policy and a compliance policy, the
settings in the compliance policy take precedence over the settings in the configuration policy,
even if the settings in the configuration policy are more secure.
If you have deployed multiple compliance policies, the most secure of these policies will be
used.
Step 3: Identify users who will be impacted by conditional access policy. After the Exchange Server connector is successfully configured, it begins to inventory devices that are
not yet enrolled to Intune, but are connecting to your organization’s Exchange resources using Exchange
Active Sync. To view the mobile device inventory report:
Important
1. Navigate to Reports -> Mobile Device Inventory Reports.
2. In the report parameters, select the Intune group you want to evaluate and, if required, the
device platforms to which the policy will apply.
3. Once you’ve selected the criteria that meets your organization’s needs, choose View Report.
The Report Viewer opens in a new window.
For more information about how to run reports, see Understand Microsoft Intune operations by using
reports.
After you run the report, examine these four columns to determine whether a user will be blocked:
Management Channel – Indicates whether the device is managed by Intune, Exchange
ActiveSync, or both.
AAD Registered – Indicates whether the device is registered with Azure Active Directory (known
as Workplace Join).
Compliant – Indicates whether the device is compliant with any compliance policies you
deployed.
Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange
ActiveSync ID associated with the device registration record in Azure Active Directory. This
happens when the user selects the Activate Email link in the quarantine email.
Devices that are part of a targeted group will be blocked from accessing Exchange unless the column
values match those listed in the following table:
Management channel AAD
registered
Compliant Exchange
ActiveSync ID
Resulting
action
Managed by Microsoft Intune and
Exchange ActiveSync
Yes Yes A value is
displayed
Email access
allowed
Any other value No No No value is
displayed
Email access
blocked
You can export the contents of the report and use the Email Address column to help you inform users
that they will be blocked.
Step 4: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These
groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a
policy, each device they use must be compliant in order to access email.
For the Exchange on-premises policy – You specify Intune user groups. You can configure Intune user
groups in the Groups workspace of the Intune console.
You can specify two group types in each policy:
Targeted groups – User groups to which the policy is applied
Exempted groups – User groups that are exempt from the policy (optional)
If a user is in both groups, they will be exempt from the policy.
Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.
Step 5: Configure the conditional access policy for Exchange on-premises. The following flow is used by conditional access policies for Exchange on-premises environment to
evaluate whether to allow or block devices.
1. In the Microsoft Intune administration console, choose Policy > Conditional Access > Exchange
On-premises Policy.
2. Configure the policy with the settings you require:
Setting More information
Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune
When you select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them are blocked from accessing Exchange services unless they have been defined as exempt.
Default rule override - Always allow enrolled and compliant devices to access Exchange
When you check this option, devices that are enrolled in Intune and compliant with the compliant policies are allowed to access Exchange. This rule overrides the Default Rule, which means that even if you set the Default Rule to quarantine or block access, enrolled and compliant devices will still be able to access Exchange.
Targeted Groups Select the Intune user groups that must enroll their device with Intune before they can access Exchange. These are the groups you configured in Step 4.
Exempt Groups Select the Intune user groups that are exempt from the conditional access policy. These are the groups you configured in Step 4.
Settings in this list override those in the Targeted Groups list.
Platform Exceptions Choose Add Rule to configure a rule that defines access levels for specified mobile device families and models.
Because these devices can be of any type, you can also configure device types that are unsupported by Intune.
Default Rule For a device that is not covered by any of the other rules, you can choose to allow it to access Exchange, block it, or quarantine it.
When you set the rule to allow access, for devices that are enrolled and compliant, email access is granted automatically for iOS, Windows, and Samsung Knox devices. The end-user does not have to go through any process to get their email. On
Setting More information
Android devices that are not Knox based, end-users will get a quarantine email which includes a guided walkthrough to verify enrollment and compliance before they can access email.
If you set the rule to block access or quarantine it, all devices are blocked from getting access to exchange regardless of whether they are already enrolled in Intune or not. To prevent enrolled and compliant devices from being affected by this rule, check the Default Rule Override.
Tip
If your intention is to first block all devices before
granting access to email, checking the Block access, or
Quarantine rule can be useful.
The default rule will apply to all device types, so device types you configure as platform exceptions and that are unsupported by Intune are also affected.
User Notification In addition to the notification email sent from Exchange, Intune sends an email that you can configure which contains steps to unblock the device.
You can edit the default message and use HTML tags to format how the text appears.
Note
Because the Intune notification email containing remediation instructions is delivered to the user’s Exchange mailbox, in the event that the user’s device gets blocked before they receive the email message, they can use an unblocked device or other method to access Exchange and view the message.
This is especially true when the Default Rule is set to block or quarantine. In this case, the end-user will have to go to their app store, download the Microsoft Company Portal app and enroll their device. This is applicable to iOS, Windows, and Samsung Knox devices. For Android devices that are not Knox-based, the IT admin will need to send the quarantine email to an alternate email account, which then the end-user has to copy to their blocked device to complete the enrollment and compliance process.
3. When you are done, choose Save.
You do not have to deploy the conditional access policy, it takes effect immediately.
After a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the
device to be blocked (if it is not managed by Intune).
If a blocked user then enrolls the device with Intune (or remediates noncompliance), email
access will be unblocked within 2 minutes.
If the user un-enrolls from Intune it might take from 1-3 hours for the device to be blocked.
Deployment Steps for using Exchange Online with Intune
Step 1: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange
conditional access policy will be targeted to.
1. In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.
2. On the Create Policy page, configure the settings you require:
Setting iOS Android Windows
Require a password to
unlock mobile devices
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
Windows Phone 8
and later
Setting iOS Android Windows
later
Allow simple passwords iOS 7 and later Not supported Windows Phone 8
and later
Minimum password
length
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
Required password type iOS 7 and later Not available Windows Phone 8
and later
Windows RT
Windows RT 8.1
Windows 8.1
Minimum number of
character sets
iOS 7 and later Not available Windows Phone 8
and later
Windows RT
Windows RT 8.1
Windows 8.1
Password quality Not available Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Not available
Minutes of inactivity
before password is
required
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Password expiration
(days)
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Remember password
history
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows RT and
Windows RT 8.1
Windows 8.1
Prevent reuse of previous
passwords
iOS 7 and later Android 4.0 and
later
Windows Phone 8
and later
Setting iOS Android Windows
Samsung KNOX
Standard 4.0 and
later
Windows RT and
Windows RT 8.1
Windows 8.1
Require a password when
the device returns from
an idle state
Not available Not available Windows 10 Mobile
Require encryption on
mobile device
Not applicable Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
Require devices to be
reported as healthy
Not available Not available Windows 10 Mobile
Device must Not be
jailbroken or rooted
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Not available
Email account must be
managed by Intune
iOS 7 and later Not available Not available
Select the email profile
that must be managed by
Intune
iOS 7 and later Not available Not available
Minimum OS required iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
Maximum OS version
allowed
iOS 7 and later Android 4.0 and
later
Samsung KNOX
Standard 4.0 and
later
Windows Phone 8
and later
Windows 8.1
1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail
to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number
of character sets is more than 2.
3. When you are finished, choose Save Policy.
You will be given the option to deploy the policy now, or you can choose to deploy it later. The
new policy displays in the Compliance Policies node of the Policy workspace.
4. Set the compliance status validity period
To specify the time the device has to check-in before a device is considered not compliant, go to
compliance policy settings and update the time. The default is set to 30 days.
To deploy the compliance policy
1. In the Policy workspace, select the policy you want to deploy, then choose Manage
Deployment.
2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy
the policy, then choose Add > OK.
You can deploy to users and/or devices. Use Active Directory groups that you have already
created and synced to Intune, or create these groups manually in the Intune console. For more
information, see Use groups to manage users and devices with Microsoft Intune.
Ensure that you have created and deployed a compliance policy to all devices that the Exchange
conditional access policy will be targeted to.
Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with
the policy that require your attention. Additionally, a status summary appears in the Dashboard
workspace.
If you have not deployed a compliance policy and then enable an Exchange conditional access
policy, all targeted devices will be allowed access.
View devices that do not conform to a compliance policy
1. In the Intune administration console, choose Groups.
2. Double-click the name of a device in the list of devices.
3. Choose the Policy tab to see a list of the policies for that device.
4. From the Filters drop-down list, select Does not conform to compliance policy.
When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:
If the conflicting settings are from an Intune configuration policy and a compliance policy, the
settings in the compliance policy take precedence over the settings in the configuration policy,
even if the settings in the configuration policy are more secure.
If you have deployed multiple compliance policies, the most secure of these policies will be
used.
Step 2: Evaluate the effect of the conditional access policy. If you have configured a connection between Intune and Exchange by using the Service to Service
Connector, you can use the Mobile Device Inventory Reports to identify EAS mail clients that will be
blocked from accessing Exchange after you configure the conditional access policy.
To view the status of the connection and the last successful synchronization attempt, in the
Microsoft Intune administrator console:
Important
1. In the Microsoft Intune administration console, choose ADMIN, expand Mobile Device
Management, and then choose Microsoft Exchange.
2. If there is no Service to Service Connector installed, expand Microsoft Exchange, choose Set Up
Exchange Connection > Set Up Service to Service Connector.
The Service to Service Connector will automatically configure and synchronize with your Hosted
Exchange environment.
To view the mobile device inventory report:
1. Choose Reports > Mobile Device Inventory Reports.
2. Select the device groups for which you plan to roll out the conditional access policy, as well as
filter by OS status.
3. After you’ve selected the criteria that meets your organization’s needs, choose View Report.
The Report Viewer opens in a new window
For more information about how to run reports, see Understand Microsoft Intune operations by using
reports.
After you run the report, examine these four columns to determine whether a user will be blocked:
Management Channel – Indicates whether the device is managed by Intune, Exchange
ActiveSync, or both.
AAD Registered – Indicates whether the device is registered with Azure Active Directory (known
as Workplace Join).
Compliant – Indicates whether the device is compliant with any compliance policies you
deployed.
Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange
ActiveSync ID associated with the device registration record in Azure Active Directory. This
happens when the user selects the Activate Email link in the quarantine email.
Devices that are part of a targeted group will be blocked from accessing Exchange unless the column
values match those listed in the following table:
Management channel AAD
registered
Compliant Exchange
ActiveSync ID
Resulting
action
Managed by Microsoft Intune and
Exchange ActiveSync
Yes Yes A value is
displayed
Email access
allowed
Any other value No No No value is
displayed
Email access
blocked
You can export the contents of the report and use the Email Address column to help you inform users
that they will be blocked.
Step 3: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These
groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a
policy, each device they use must be compliant in order to access email.
For the Exchange Online policy – You specify Azure Active Directory security user groups. You can
configure these groups in the Office 365 admin center, or the Intune console.
You can specify two group types in each policy:
Targeted groups – User groups to which the policy is applied
Exempted groups – User groups that are exempt from the policy (optional)
If a user is in both groups, they will be exempt from the policy.
Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.
Step 4: Configure the conditional access policy for Exchange Online The following flow is used by conditional access policies for Exchange Online to evaluate whether to
allow or block devices.
To access email, the device must:
Enroll with Intune
Register the device in Azure Active Directory (this happens automatically when the device is
enrolled with Intune.
The device state is stored in Azure Active Directory which grants or blocks access to email, based on the
evaluated conditions.
If a condition is not met, the user will be presented with one of the following messages when they log in:
If the device is not enrolled, or registered in Azure Active Directory, a message is displayed with
instructions about how to install the company portal app and enroll.
If the device is not compliant, a message is displayed that directs the user to the Intune web
portal where they can find information about the problem and how to remediate it.
The message is displayed on the device for Exchange Online users.
Intune conditional access rules override, allow, block and quarantine rules that are defined in the
Exchange Online admin console.
1. In the Intune administration console, choose Policy > Conditional Access > Exchange Online
Policy.
2. On the Exchange Online Policy page, select Enable conditional access policy for Exchange
Online. If you check this, a device must be compliant. If this is not checked then conditional
access is not applied.
Note
If you have not deployed a compliance policy and then enable the Exchange Online policy, all
targeted devices are reported as compliant.
Regardless of the compliance state, all users who are targeted by the policy will be required to
enroll their devices with Intune.
3. Under Application access, for apps that use modern authentication, you have two ways of
choosing which platforms the policy should apply. Supported platforms include Android, iOS,
Windows, and Windows Phone.
All platforms
This will require that any device used to access Exchange Online, to be enrolled in
Intune and compliant with the policies. Any client application using modern
authentication is subject to the conditional access policy, and if the platform is currently
not supported by Intune, access to Exchange Online is blocked
Selecting the All platforms option means that Azure Active Directory will apply this
policy to all authentication requests, regardless of the platform reported by the client
application. All platforms will be required to enrolled and become compliant, except for:
o Windows devices will be required to be enrolled and compliant, domain joined
with on-premises Active Directory, or both.
o Unsupported platforms like Mac OS. However, apps using modern
authentication coming from these platforms will be still be blocked.
Note
Tip
You may not see this option if you are not already using conditional access for PCs. Use
the Specific platforms instead. Conditional access for PCs is not currently available to all
Intune customers. You can find out more information about known issues as well as
how to get access to this feature at the Microsoft Connect site.
Specific platforms
Conditional access policy will apply to any client app that is using modern
authentication on the device platforms you specify.
4. Under Outlook web access (OWA), you can choose to allow access to Exchange Online only
through the supported browsers: Safari (iOS), and Chrome (Android). Access from other
browsers will be blocked. The same platform restrictions you selected for Application access for
Outlook also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable
the “Enable Browser Access” option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (…) or the hardware menu button.
c. Press the Enable Browser Access button.
d. In the Chrome browser, sign out of Office 365 and restart Chrome.
5. On iOS and Android platforms, To identify the device that is used to access the service, Azure
Active Directory will issue a Transport layer security ( TLS) certificate to the device. The device
displays the certificate with a prompt to the end-user to select the certificate as seen in the
screenshots below. The end-user must select this certificate before they can continue to use the
browser.
Under Exchange ActiveSync apps, you can choose to block noncompliant devices from accessing
Exchange Online. You can also select whether to allow or block access to email when the device
is not running a supported platform. Supported platforms include Android, iOS, Windows, and
Windows Phone.
6. Under Targeted Groups, select the Active Directory security groups of users to which the policy
will apply. You can either choose to target all users or a selected list of user groups.
Note
For users that are in the Targeted groups, the Intune polices will replace Exchange rules and
policies.
Exchange will only enforce the Exchange allow, block and quarantine rules, and Exchange
policies if:
The user is not licensed for Intune.
The user is licensed for Intune, but the user does not belong to any security groups targeted
in the conditional access policy.
7. Under Exempted Groups, select the Active Directory security groups of users that are exempt
from this policy. If a user is in both the targeted and exempted groups, they will be exempt from
the policy and will have access to their email.
8. When you are finished, choose Save.
You do not have to deploy the conditional access policy, it takes effect immediately.
After a user creates an email account, the device is blocked immediately.
If a blocked user enrolls the device with Intune and fixes any noncompliance issues, email
access is unblocked within 2 minutes.
If the user un-enrolls their device, email is blocked after around 6 hours.
To see some example scenarios of how you would configure conditional access policy to restrict
device access, see restrict email access example scenarios.
Reporting
Monitor the compliance and conditional access policies To view devices that are blocked from Exchange:
1. On the Intune dashboard, choose the Blocked Devices from Exchange tile to show the number
of blocked devices and links to more information.
End-user Experience Following is an overview of the end-user experience after conditional access is enabled and an end user
tries to access email on their mobile device.
Windows Phone
1. If a user is already enrolled in Intune and is compliant, they will see no difference on Windows
devices; they will continue to get access to email. Users who have not yet enrolled in Intune will
receive a quarantine email similar to this sample:
The user chooses Get started now to begin enrolling their device.
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
2. On the Company Access Setup screen, the user chooses Begin to start setting up their device
and checking whether it is compliant.
3. On the Enroll Your Device screen, the user chooses Confirm Enrollment to start enrolling their
device.
During enrollment, the Mobile Device Management profile is installed to allow you, the IT
administrator, to remotely manage the device. The user might be prompted to accept a
certificate authorizing Workplace Join.
The user signs in using their email address they use with Office. After they are signed in, they
might need to choose Confirm Enrollment once more to continue enrolling their device.
4. The device is checked to verify that it is enrolled.
The user then completes the enrollment process by selecting their device and choosing Select. If
their device is not displayed, they can select I don’t see my device listed to try again.
5. The device is checked to verify that it is complaint with company policies.
If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid
password) and then choose Check Compliance to continue.
6. After compliance is verified, the user sees that enrollment is being activated.
7. Enrollment is activated and the user chooses Continue to complete the process…
8. …and the process completes! The user chooses Done to exit setup.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by choosing Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. If the user tries to access email, they are redirected back to the Company Access Setup screen
from the Intune Company portal where it shows that they are out of compliance.
3. The user chooses Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they choose Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user chooses Continue to complete the process. Email access should
become available again within a few minutes.
iOS
1. If a user is already enrolled in Intune and is compliant, they will see no difference on iOS devices;
they will continue to get access to email. If the user is not yet enrolled, they will see a
quarantine message similar to this when they launch their mail app:
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
The user chooses Get started now to begin enrolling their device.
2. The user is prompted to install the Intune Company Portal app from the respective app store.
After it installs, the user opens the app and signs in using their company credentials.
3. On the Company Access Setup screen, the user chooses Begin to start setting up their device
and checking whether it is compliant.
4. On the Device Enrollment screen, the user chooses Enroll to start enrolling their device.
During enrollment, the Mobile Device Management profile is installed to allow you, the IT
administrator, to remotely manage the device. The user enters their password if prompted.
5. On the Company Access Setup screen, the user chooses Continue to start checking compliance
on the device.
If there is a compliance issue, the user is prompted to resolve the issue (such as by creating a
valid password) and then choose Check Compliance to continue.
After the device is fully compliant, the user chooses Continue to proceed.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by choosing Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. If the user tries to access email, they are redirected back to the Company Access Setup screen
from the Intune Company portal where it shows that they are out of compliance.
3. The user chooses Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they choose Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user chooses Continue to complete the process.
Email access should become available again within a few minutes.
Android
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
1. When they try to access email, the user first receives a quarantine email similar to this sample:
The user chooses Get started now to begin enrolling their device.
2. The user is prompted to install the Intune Company Portal app from the respective app store.
After it installs, the user opens the app and signs in using their company credentials.
Note
If a user has not set a default browser for their device, they will be prompted during device
enrollment and during enrollment activation to allow a link to open a browser window. When
prompted, they must select the same browser each time or the enrollment process will fail.
3. On the Company Access Setup screen, the user chooses Begin to start setting up their device
and checking whether it is compliant.
5. Users must activate the device administrator by choosing Activate when prompted or the device
enrollment procedure will cancel.
Device enrollment begins. Depending on the device, a certificate installation prompt or a
Samsung KNOX Privacy Policy prompt might appear during enrollment. These are necessary to
allow you, the IT administrator, to remotely manage the device. The device is enrolled to Intune
and establishes a device identity with Azure Active Directory.
After enrollment is completed successfully, the user chooses Continue to start checking
compliance on the device.
If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid
password) and then choose Check Compliance to continue.
7. After the device is fully compliant, the user chooses Continue to initiate enrollment activation.
This will connect the AAD device identity with the EAS ID provided by Exchange.
Note
On Android, the default browser will appear for a few seconds during enrollment activation. If
the user has not already selected a default browser, they are prompted to choose a browser.
While completing Company Access Setup, the same browser must be selected by the user
whenever prompted.
8. Enrollment activation will complete and the user chooses Done to exit the enrollment and
compliance verification process.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by choosing Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. When the user tries to access email, they see a quarantine email informing them that
compliance issues must be fixed before they can get access. When the user selects the hyperlink
in the quarantine email, it redirects them to the Company Access Setup screen in the Intune
Company portal (via default browser and Google Play) where it shows that the device is not
compliant.
3. The user chooses Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they choose Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user chooses Continue to complete the process. Email access should
become available again within a few minutes.