Keep in mind that by default modern authentication is disabled on Exchange Online. To enable this please following this guidance.
Two weeks ago I started with this series of blog posts about conditional access for PCs and I started with the requirements for conditional access for PCs. Last week I built onto those requirements by adding the SharePoint Online Policy, and the Compliance Policy, and I finished with showing the end-user experience.
This week, in the third part of this blog series, I’ll also build onto those requirements by adding the Exchange Online Policy and again the Compliance Policy. After those configurations are in place, I’ll also finish, this third part of this blog series, with the end-user experience.
Note: This post shows a few identical configurations as I also mentioned in the second part of this blog series. This allows one to configure the Exchange Online Policy without going through the configuration of the SharePoint Online Policy.
The configuration of conditional access for PCs contains two actions. The first action is to configure the Exchange Online Policy and the second action is to configure the Compliance Policy.
Exchange Online Policy
Now let’s start with the first action, which is the configuration of the Exchange Online Policy. This policy is used to manage access to Exchange mail, based on the configured conditions.
The configuration of the Exchange Online Policy is the same for both Microsoft Intune standalone and Microsoft Intune hybrid. The road to the setting might differ, but, in the end, the configuration has to be performed from the Microsoft Intune administration console.
Note: For testing the end-user experience I’ve tested the Exchange Online Policy with all three possible configurations for Windows devices.
The next action is the configuration of the Compliance Policy. This policy defines the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. A good thing to keep in mind is that it’s not required to configure and deploy a Compliance Policy. When no Compliance Policy is configured and deployed, the device will automatically be considered compliant.
The configuration of the Compliance Policy differs between Microsoft Intune standalone and Microsoft Intune hybrid.
Note: It’s possible to create multiple Compliance Policies for different devices, or different scenarios. After creating the different policies, don’t forget to the deploy the policies to users, or computers.
After the complete configuration is done, it’s time to look at the end-user experience for the Outlook desktop application. In this case I’m talking about the end-user experience of a blocked user, as the end-user experience of an allowed user doesn’t differ from any other Outlook experience.
When the end-users’ device is not compliant, or not joined to the domain, the end-user can get the messages as shown below when Outlook is trying to connect to Exchange Online. The not compliant message will also show when the combined option is configured. The examples are shown for Outlook 2013, but the Outlook 2016 experience is identical.
|Not compliant||Not domain joined|
Note: It might take a moment before an existing Outlook connection will be blocked when the device is not longer compliant.
For more information about the Exchange Online Policy and the Compliance Policy, that are used for conditional access for PCs, please refer to the following links:
- Conditional Access for Exchange Email in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131421.aspx
- Manage email access with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705841
- Compliance Policies in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131417.aspx
- Manage device compliance policies for Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705843.aspx
6 thoughts on “Conditional Access for PCs – Part III: Exchange Online”
Very Good Post.
Is there a way that you are aware of that enforces the Conditional Access via the Browser but allows OWA access from non Company managed devices.
If the Origanization wants to block access to all services from non Company Devices BUT wants to allow their staff to still access their email (OWA in Office365) from their home computer is that possible as a exemption?
Sounds like a very bad backdoor, which bypasses the use of conditional access. That being said, I think you should be able to create a claim in ADFS to do something like that.
Peter, I’m struggling with the docs on this one.
The Windows PC setting: “Devices must be domain joined or compliant” is confusing. In an Intune Hybrid environment, where a Win10 PC is non-domain, would it be “compliant” if it was managed by SCCM and not “non-compliant” ? Or is Intune the only option??
Devices managed by SCCM can also be targeted with compliancy policies via SCCM. When a device is compliant to that policy, or no policy is targeted, its marked as compliant.