The conditional access flow of the Outlook app for iOS and Android

Microsoft_OutlookThis week something completely different, this week I’ll be looking at the conditional access flow of the Outlook app for iOS and Android. By that I don’t mean that I’ll be looking at the high-level decision flow, which is available on TechNet, but more from a component perspective. It will be more of a what-happens-when-and-where flow.

Before I’ll start with the what-happens-when-and-where flow, I think it’s important to first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication, the Open Authentication (OAuth) protocol and the Outlook Cloud Service in combination with Office 365. These components make the what-happens-when-and-where flow.

ADAL-based authentication

The Outlook app for iOS and Android uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Outlook app for iOS and Android to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Outlook app for iOS and Android.

OAuth for Office 365

The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Outlook app for iOS and Android with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Outlook app for iOS and Android access to the appropriate mailbox, in Office 365, of the end-user (via the Outlook Cloud Service).

Outlook Cloud Service

The Outlook app for iOS and Android also uses the Outlook Cloud Service, which is an aggregation service to help the end-user with grabbing email. The Outlook app for iOS and Android uses OAuth for all accounts that support it, which includes Office 365. OAuth provides the Outlook app for iOS and Android with a secure mechanism to access Office 365 and the Outlook Cloud Service without needing the end-user credentials.

Conditional access flow

Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Outlook app for iOS and Android.

OutlookApp_CA

1. Authenticate user and device – The Outlook app for iOS and Android uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message, or an email describing the steps to enroll, or to get compliant.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Outlook app for iOS and Android gets the access token and refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Outlook app for iOS and Android  will provide the required access token to the Outlook Cloud Service.
4. Verify access token – The Outlook Cloud Service will verify with Azure AD to see if it’s a valid access token. When the access token is valid, the Outlook Cloud Service will get a second level of security token that allows the Outlook Cloud Service to say that it wants to get email on behalf of the end-user.
5. Get company email – The Outlook Cloud Service will get the company email for the end-user from Office 365.
6. Email delivered – The Outlook Cloud Service delivers the company email for the end-user in the Outlook app for iOS and Android.

More information

For more information about the Outlook app for iOS and Android, conditional access and Exchange Online, please refer to the following links:

Share

2 thoughts on “The conditional access flow of the Outlook app for iOS and Android

  1. we are using Azure AD DRS service to register devices ( laptops and mobiles phones) into azure AD which then gets writes back to on prem AD. This has been done to restrict access and allow only to registered users
    For restricting access only to registered users with device, we have created authorization claim rule on ADFS O365 relying party
    This rules specifies that if value of http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser = TRUE , then , allow access.
    On android phone , devices are getting registered , through company portal app
    Issue –
    The issue seems to be occurring on Android outlook app when updating password for outlook. While updating password , it goes through company portal and then to ADFS page where it gives authorization error.
    From logs it seems it’s not sending http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser claim to ADFS and hence ADFS conditional access claim rule is not getting applied on it.
    Although while mobile device registration , the client certificate gets installed on device and it should sent registered user/device details through certificate. Doesn’t Exchange app on Android sends ISREGISTEREDUSER claim ?
    Note –
    1. We are not using ADFS DRS service.
    2. We are not leveraging Intune or MDM for device compliance and conditional access.
    3. No issue with laptops.
    We have deleted default “ALL ACCESS” permit rule on O365 relying party

  2. Hi Ankush,

    I don’t know the exact claims that the Outlook app uses, but if you can’t find the specific claim in the ADFS log (Event Viewer) then it’s probably not available. To be completely sure you can contact Microsoft through the Outlook app to verify.

    Regards,
    Peter

Leave a Comment