This week something completely different, this week I’ll be looking at the conditional access flow of the Outlook app for iOS and Android. By that I don’t mean that I’ll be looking at the high-level decision flow, which is available on TechNet, but more from a component perspective. It will be more of a what-happens-when-and-where flow.
Before I’ll start with the what-happens-when-and-where flow, I think it’s important to first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication, the Open Authentication (OAuth) protocol and the Outlook Cloud Service in combination with Office 365. These components make the what-happens-when-and-where flow.
The Outlook app for iOS and Android uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Outlook app for iOS and Android to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Outlook app for iOS and Android.
OAuth for Office 365
The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Outlook app for iOS and Android with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Outlook app for iOS and Android access to the appropriate mailbox, in Office 365, of the end-user (via the Outlook Cloud Service).
Outlook Cloud Service
The Outlook app for iOS and Android also uses the Outlook Cloud Service, which is an aggregation service to help the end-user with grabbing email. The Outlook app for iOS and Android uses OAuth for all accounts that support it, which includes Office 365. OAuth provides the Outlook app for iOS and Android with a secure mechanism to access Office 365 and the Outlook Cloud Service without needing the end-user credentials.
Conditional access flow
Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Outlook app for iOS and Android.
1. Authenticate user and device – The Outlook app for iOS and Android uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message, or an email describing the steps to enroll, or to get compliant.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Outlook app for iOS and Android gets the access token and refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Outlook app for iOS and Android will provide the required access token to the Outlook Cloud Service.
4. Verify access token – The Outlook Cloud Service will verify with Azure AD to see if it’s a valid access token. When the access token is valid, the Outlook Cloud Service will get a second level of security token that allows the Outlook Cloud Service to say that it wants to get email on behalf of the end-user.
5. Get company email – The Outlook Cloud Service will get the company email for the end-user from Office 365.
6. Email delivered – The Outlook Cloud Service delivers the company email for the end-user in the Outlook app for iOS and Android.
For more information about the Outlook app for iOS and Android, conditional access and Exchange Online, please refer to the following links:
- New access and security controls for Outlook for iOS and Android: https://blogs.office.com/2015/06/10/new-access-and-security-controls-for-outlook-for-ios-and-android/
- Security in Outlook for iOS and Android for Exchange Online: https://technet.microsoft.com/fr-FR/library/mt465746(v=exchg.150).aspx
- Securing Access to Office 365 and other apps with Enterprise Mobility Suite: https://channel9.msdn.com/Events/Ignite/2015/BRK3856
- Microsoft Intune and System Center Configuration Manager Core Skills: https://www.microsoftvirtualacademy.com/en-us/training-courses/microsoft-intune-and-system-center-configuration-manager-core-skills-11791?l=sYjdfhmEB_9604984382
- The OAuth 2.0 Authorization Framework: http://tools.ietf.org/html/rfc6749