Conditional Access

Conditional Access for PCs – Part III: Exchange Online

by

Keep in mind that by default modern authentication is disabled on Exchange Online. To enable this please following this guidance. Two weeks ago I started with this series of blog posts about conditional access for PCs and I started with the requirements for conditional access for PCs. Last week I built onto those requirements by adding the SharePoint Online Policy, and the Compliance Policy, and I finished with showing the end-user experience. This week, in the third part of this blog series, I’ll also build onto those requirements by adding the Exchange Online Policy and again the Compliance Policy. After those configurations are in place, I’ll also finish, this third part of this blog series, with the end-user experience. Note: This post shows a few …

Read more

Conditional Access for PCs – Part II: SharePoint Online

by

Last week I started with this series of blog posts about conditional access for PCs. I started with the requirements for conditional access for PCs. This week, in the second part of this blog series, I’ll build onto those requirements by adding the SharePoint Online Policy and the Compliance Policy. After those configurations are in place, I’ll finish, this second part of this blog series, with the end-user experience. Note: This post shows a few identical configurations as I also mention in the third part of this blog series. This allows one to configure the SharePoint Online Policy without going through the configuration of the Exchange Online Policy. Configuration The configuration of conditional access for PCs contains two actions. The first action is to configure …

Read more

Conditional Access for PCs – Part I: Requirements

by

Another new capability that’s added, during the August 2015 update, to Microsoft Intune, is conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online. This nice capability enables us to require that PCs must be either domain joined or compliant. In order to be compliant, the PCs must be enrolled in Microsoft Intune and the PCs must comply with the policies. This capability has more requirements and requires more configurations than the most other Microsoft Intune standalone or Microsoft Intune hybrid capabilities. That’s why I decided to make this another blog series. This blog series will contain three parts: Requirements – This part will list all the requirements and the required configurations to start with the different conditional access …

Read more

Multi-identity in the managed Outlook app – Part 2

by

This blog post will show the behavior of the multi identities in the Microsoft Outlook app, as described in my posts about multi-identity in the managed Outlook app – part 1 and the Microsoft Intune Managed Browser. I’ve made four small movies that will show the behavior of the Microsoft Outlook app. A general note with these movies is that they’ll start to blink and act all funny at the moments that a managed app is opened, or a when a PIN is required. Part I – Install and configure the Microsoft Outlook app In this first part I’ll show how the Microsoft Outlook app behaves during the installation and initial configuration. During this movie I’ll go through the following actions: Open the Company Portal …

Read more

Multi-identity in the managed Outlook app – Part 1

by

This blog post can be seen as a follow up about a previous post about the email profile behavior after retiring a mobile device. During that post I showed the behavior of email profiles in the native mail app and the Outlook app after retiring the mobile device. In this post I’ll dive deeper into the Outlook app. More specifically, the behavior of the managed Outlook app and multi-identities. To be complete, I’ll divide this blog post in two parts. This first part will describe the assumptions, the configuration and the behavior and the second part will show the behavior in a real example. Assumptions During this blog post I’ve done four important assumption, about the used environment, that might impact the test results. When …

Read more

Email profile behavior after retiring a mobile device

by

This blog post will be a follow-up on my blog post of last week about the three layers of protection with conditional access for Exchange email. During that post I tried to stress the importance of protecting, and being in control of, company email. In this blog post I will go through different scenarios to show the behavior of company email after retiring a mobile device from Microsoft Intune. I will show the results of these scenarios for both the native email app and the Outlook app. Scenarios Before I start with the different scenarios it’s important to mention that, after a mobile device is successfully retired from Microsoft Intune, the user will be able to configure company email on its mobile device. This is …

Read more

The three layers of protection with conditional access for Exchange email

by

In this blog post I would like to write a little about, what I like to call, the three layers of protection with conditional access for Exchange email. No, I don’t mean that a device has to be 1) enrolled in Microsoft Intune, 2) workplace joined and 3) compliant with any Microsoft Intune compliance policies. What I do mean is related to company data, in this case company email, and the protection of it on mobile devices. That means three different layers of protection for Exchange email on mobile devices. From basic protection to almost complete protection. The first layer of protection The first, basic, layer of protection is simply using an Exchange Online Policy, or an Exchange On-premises Policy. These policies make it possible …

Read more