Configure email profile for the Outlook app

This week is all about configuring an email profile for the Outlook app. Actually preconfiguring an email profile for the users, making sure that the users only need to provide their password. Depending on the exact infrastructure, this can save a lot of (adaption) work in providing guidelines to the users. Some even want to look at this for preconfiguring an email profile for Exchange Online. I’m not that sure about that specific use case. Having said that, I do use that configuration as an example configuration. Simply because I’ve got that available in my lab. In this post I’ll show the available keys for configuring an email profile and I’ll show the configuration steps. I’ll end this post by showing the end-user experience, which will also show why I think that the added value for Exchange Online might be minimal.

Available keys and values

Let’s start by having a look at the available keys and values for configuring an email profile for the Outlook app. Below is an overview of the available keys, the value types, the default value, a short description of the accepted value and if the key is required. All the mentioned keys start with com.microsoft.outlook.EmailProfile.. I removed that prefix to make the table a bit more readable.

Key Value type Default value Accepted value Required
EmailAccountName String <blank> Display name Yes
EmailAddress String <blank> Email address Yes
EmailUPN String <blank> UPN or username Yes
ServerAuthentication String “Username and Password” Authentication method No
ServerHostName String <blank> Hostname Yes
AccountDomain String <blank> Domain name No
AccountType String BasicAuth Authentication model No

Note: Please don’t forget that all of these keys start with com.microsoft.outlook.EmailProfile..

Configuration

Now let’s continue by having a look at the configuration of the actual email profile. The following 7 steps walk through the configuration of the app configuration policy that configures an Exchange Online profile for the Outlook app on iOS.

1 Open the Azure portal and navigate to Intune > Client apps > App configuration policies;
2 On the client apps – App configuration policies blade, click Add to open the Add configuration policy blade;
3 On the Add configuration policy blade, provide a Name, select Managed devices with Device enrollment type, select iOS with Platform and select Associated app to open the Associated app blade;
4 On the Associated app blade, select Outlook and click OK to return to the Add configuration policy blade;
5 On Add configuration policy blade, select Configuration settings to open the Configuration settings blade;
6 On the Configuration settings blade, select Use configuration designer with Configuration settings format, provide the following information and click OK to return to the Add configuration policy blade;

com.microsoft.outlook.EmailProfile.EmailAccountName {{username}}
com.microsoft.outlook.EmailProfile.EmailAddress {{mail}}
com.microsoft.outlook.EmailProfile.EmailUPN    {{userprincipalname}}
com.microsoft.outlook.EmailProfile.ServerHostName https://outlook.office365.com/
com.microsoft.outlook.EmailProfile.AccountDomain petervanderwoude.nl

Note: The mentioned key and value pairs are sufficient to set the required settings for Office 365, including an additional setting to set a value to all configurable fields.

iOS-mail-app-configuration
7 On the Add configuration policy blade, click Add to add the app configuration policy.

Note: This configuration requires a managed device to apply the configuration to the app.

End-user experience

Let’s end this post with the end-user experience. Below on the left is the first screen of the Outlook app, after the app configuration policy is applied. This shows an Exchange configuration, even though this configuration will enable Exchange Online (Office 365). Basically every profile configured via these settings will be shown as an Exchange profile. Below on the right is the second screen of the Outlook app, after the user clicked on Add Account. It only requires the user to provide a password and to click on Sign-in. This also works in combination with a conditional access rule that blocks other clients (legacy authentication).

IMG_0149 IMG_0150

Note: As mentioned earlier, this email configuration prevents the user from typing the UPN. That makes it easier for the user. However, instead, it provides the user with a configuration screen that can be more confusing. A decision to make. I do see a big use case for Exchange on-premises infrastructure.

More information

For more information about configuring the Outlook app, refer to the following documentation:

The conditional access flow of the Outlook app for iOS and Android

Microsoft_OutlookThis week something completely different, this week I’ll be looking at the conditional access flow of the Outlook app for iOS and Android. By that I don’t mean that I’ll be looking at the high-level decision flow, which is available on TechNet, but more from a component perspective. It will be more of a what-happens-when-and-where flow.

Before I’ll start with the what-happens-when-and-where flow, I think it’s important to first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication, the Open Authentication (OAuth) protocol and the Outlook Cloud Service in combination with Office 365. These components make the what-happens-when-and-where flow.

ADAL-based authentication

The Outlook app for iOS and Android uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Outlook app for iOS and Android to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Outlook app for iOS and Android.

OAuth for Office 365

The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Outlook app for iOS and Android with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Outlook app for iOS and Android access to the appropriate mailbox, in Office 365, of the end-user (via the Outlook Cloud Service).

Outlook Cloud Service

The Outlook app for iOS and Android also uses the Outlook Cloud Service, which is an aggregation service to help the end-user with grabbing email. The Outlook app for iOS and Android uses OAuth for all accounts that support it, which includes Office 365. OAuth provides the Outlook app for iOS and Android with a secure mechanism to access Office 365 and the Outlook Cloud Service without needing the end-user credentials.

Conditional access flow

Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Outlook app for iOS and Android.

OutlookApp_CA

1. Authenticate user and device – The Outlook app for iOS and Android uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message, or an email describing the steps to enroll, or to get compliant.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Outlook app for iOS and Android gets the access token and refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Outlook app for iOS and Android  will provide the required access token to the Outlook Cloud Service.
4. Verify access token – The Outlook Cloud Service will verify with Azure AD to see if it’s a valid access token. When the access token is valid, the Outlook Cloud Service will get a second level of security token that allows the Outlook Cloud Service to say that it wants to get email on behalf of the end-user.
5. Get company email – The Outlook Cloud Service will get the company email for the end-user from Office 365.
6. Email delivered – The Outlook Cloud Service delivers the company email for the end-user in the Outlook app for iOS and Android.

More information

For more information about the Outlook app for iOS and Android, conditional access and Exchange Online, please refer to the following links:

Multi-identity in the managed Outlook app – Part 2

This blog post will show the behavior of the multi identities in the Microsoft Outlook app, as described in my posts about multi-identity in the managed Outlook app – part 1 and the Microsoft Intune Managed Browser. I’ve made four small movies that will show the behavior of the Microsoft Outlook app. A general note with these movies is that they’ll start to blink and act all funny at the moments that a managed app is opened, or a when a PIN is required.

Part I – Install and configure the Microsoft Outlook app

In this first part I’ll show how the Microsoft Outlook app behaves during the installation and initial configuration. During this movie I’ll go through the following actions:

  • Open the Company Portal app;
  • Install the Microsoft Outlook app;
  • Open the Microsoft Outlook app;
  • Configure the PIN.

Part II – Open URLs in the Microsoft Outlook app

In this second part I’ll show how the Microsoft Outlook app behaves with opening URLs. During this movie I’ll go through the following actions:

  • Open the Microsoft Outlook app;
  • Open a blocked URL from company email;
  • Open an allowed URL from company email;
  • Open an URL from personal email.

Part III – Copy and paste content in the Microsoft Outlook app

In this third part I’ll show how the Microsoft Outlook app behaves with copying and pasting content to different apps. During this movie I’ll go through the following actions:

  • Open the Microsoft Outlook app;
  • Copy content from company email;
  • Paste the content in an unmanaged app;
  • Paste the content in a managed app;
  • Copy content from personal email;
  • Paste the content in any app.

Part IV – Open and save attachments in the Microsoft Outlook app

In this fourth part I’ll show how the Microsoft Outlook app behaves with saving attachments. During this movie I’ll go through the following actions:

  • Open the Microsoft Outlook app;
  • Open an attachment from company email;
  • Save the attachment;
  • Open an attachment from personal email;
  • Save the attachment.

Multi-identity in the managed Outlook app – Part 1

Microsoft_OutlookThis blog post can be seen as a follow up about a previous post about the email profile behavior after retiring a mobile device. During that post I showed the behavior of email profiles in the native mail app and the Outlook app after retiring the mobile device. In this post I’ll dive deeper into the Outlook app. More specifically, the behavior of the managed Outlook app and multi-identities. To be complete, I’ll divide this blog post in two parts. This first part will describe the assumptions, the configuration and the behavior and the second part will show the behavior in a real example.

Assumptions

During this blog post I’ve done four important assumption, about the used environment, that might impact the test results. When these four items are not in place, the results might differ from the results in this blog post. The key is that these four items create a fully managed Outlook app for company email.

  1. Office 365, including Exchange Online, is in place for the company email;
  2. Microsoft Intune hybrid, or standalone, is in place for managing the mobile devices;
  3. Conditional access is used to provide access to the company email;
  4. Application management policies are in place to protect the company email.

Configuration

During this blog post I’ve used the configuration, for the managed Outlook app, as shown in the pictures below. These pictures are taken from a Microsoft Intune hybrid environment, but the settings that can be configured are identical to the settings that can be configured in a Microsoft Intune standalone environment.

iOS Android
iOS_AppManagementPolicy Android_AppManagementPolicy

Behavior

One key takeaway about the behavior is a difference in the behavior of the Outlook app for iOS and the Outlook app for Android.

If a PIN requirement is configured, the Outlook app for iOS will always prompt for a PIN.

It will even prompt for a PIN during the initial startup. On the other hand, if a PIN requirement is configured, the Outlook app for Android will only prompt for a PIN after a company email profile is configured.

Besides that key difference the behavior of the Outlook app for iOS and the Outlook app for Android will be identical. Based on the configured managed application policy the end-user will experience the following behavior.

Setting Company email Personal email
Restrict web content to display in the Managed Browser

The end-user will experience that an URL will open in the Managed Browser.

Note: When the Managed Browser is used with an allow list, the URL has to be part of that list.

The end-user will experience that an URL will open in the default browser.
Prevent Android backups (Android only)1 The end-user will not experience anything special. The end-user will not experience anything special.
Prevent iTunes and iCloud backups (iOS only)1 The end-user will not experience anything special. The end-user will not experience anything special.
Allow app to transfer data to other apps The end-user will experience that data can only be transferred to other managed apps. The end-user will experience that data can be transferred to any other apps.
Allow app to receive data from other apps The end-user will experience that data can be received from all other apps. The end-user will experience that data can be received from all other apps.
Prevent “Save As The end-user will experience that the “Save As” option is missing for attachments. The end-user will experience that the “Save As” option is available for attachments.
Restrict cut, copy, and paste with other apps The end-user will experience that content and attachments can only be copied and pasted to other managed apps. The end-user will experience that content and attachments can be copied and pasted to all other apps.
Require simple PIN for access (including number of attempts before PIN reset) The end-user will experience that a PIN is required for access.

iOS – The end-user will experience that a PIN is required for access.

Android – The end-user will experience that a PIN is not required for access.

Require corporate credentials for access The end-user will experience that corporate credentials are required for access.

iOS – The end-user will experience that corporate credentials are  required for access.

Android – The end-user will experience that corporate credentials are not required for access.

Require device compliance with corporate policy for access The end-user will experience that there is no access when the device is jailbroken (iOS) or rooted (Android). The end-user will experience that there is always access.
Recheck the access requirements after timeout and offline grace period3 The end-user will not experience anything special. The end-user will not experience anything special.
Encrypt app data4 The end-user will not experience anything special. The end-user will not experience anything special.
Block screen capture(Android only) The end-user will experience that the screen capture option can’t be used. The end-user will experience that the screen capture option can be used.

1 This setting would make sure that the backup of the Outlook app is disabled, but, by default, the Outlook app already doesn’t perform online backups.
2 This setting will make sure that the access requirements for the Outlook app are checked again after the specified timeout and grace period.
3 This setting will make sure that all data associated with the Outlook app will be encrypted. On iOS the data is encrypted at rest using the device level encryption of iOS and on Android the data is encrypted during file I/O operations via encryption provided by Microsoft.

More information

For more information about controlling managed apps, please refer to the following links: