When are devices blocked after enabling conditional access?

This week a blog post with only one purpose, and that purpose is, providing an overview. Providing an overview about when devices will be blocked after enabling conditional access. That information is available in the TechNet documentation (see the More information section of this post), but it might be a bit difficult to find. As the question pops up in the TechNet forums at a regular basis, I got the suggestion that it would be a good idea to provide a quick, but clear, overview.

This post will provide nice tables, for Microsoft Intune standalone and Microsoft Intune hybrid, with the time it will take before a device will be blocked from Exchange. That information will be provided for two different setups and three different scenarios. A quick spoiler, the tables for Microsoft Intune standalone and Microsoft Intune hybrid are identical.

Overview

Let’s have a look at the mentioned overview tables for Microsoft Intune standalone and Microsoft Intune hybrid. However, before looking at the overview tables, it’s important to understand the following details about the scenarios.

  • After user setting up email profile – This scenario is applicable when the end-user wants to configure email on a device that is not enrolled;
  • After user enrolling blocked device – This scenario is applicable when the end-user wants to get email on a device that’s just enrolled, or just remediated;
  • After user un-enrolling device – This scenario is applicable when the end-user has un-enrolled its device.

Microsoft Intune standalone

Below is the overview table for Microsoft Intune standalone.

After user setting up email profile After user enrolling blocked device After user un-enrolling device
Exchange Online Device is blocked immediately Device is unblocked within 2 minutes Device is blocked after around 6 hours
Exchange on-premises Device is blocked after around 1-3 hours Device is unblocked within 2 minutes Device is blocked after around 1-3 hours

Note: The legacy Exchange Online Dedicated is identical to Exchange on-premises.

Microsoft Intune hybrid

Below is the overview table for Microsoft Intune hybrid.

After user setting up email profile After user enrolling blocked device After user un-enrolling device
Exchange Online Device is blocked immediately Device is unblocked within 2 minutes Device is blocked after around 6 hours
Exchange on-premises Device is blocked after around 1-3 hours Device is unblocked within 2 minutes Device is blocked after around 1-3 hours

Note: The legacy Exchange Online Dedicated is identical to Exchange on-premises.

More information

For more information about managing email access via Microsoft Intune standalone or Microsoft Intune hybrid, please refer to:

2 thoughts on “When are devices blocked after enabling conditional access?

  1. Nice post, thanks.
    So, am correct in thinking here that if i were to turn on Conditional Access, and add users into the group for which it was targeted, their devices would NOT get blocked?

    Im testing and this seems to be the case. Its as if once the sync has been set up initially, then its set up and doesn’t get blocked. Is this expected behavior?

    Note: I have 2 devices which still have access, i wiped a third and set up mail from scratch and conditional access policies do seems to be applying to the fresh device only..

  2. When a user is member of the targeted group, the user will get blocked when the device is not enrolled and not compliant.

    When a user is member of the exempted group, the user will not get blocked via conditional access.

    Once an device is un-enrolled, it can take up to 6 hours before the device is blocked.

Leave a Comment