This week a blog post with only one purpose, and that purpose is, providing an overview. Providing an overview about when devices will be blocked after enabling conditional access. That information is available in the TechNet documentation (see the More information section of this post), but it might be a bit difficult to find. As the question pops up in the TechNet forums at a regular basis, I got the suggestion that it would be a good idea to provide a quick, but clear, overview.
This post will provide nice tables, for Microsoft Intune standalone and Microsoft Intune hybrid, with the time it will take before a device will be blocked from Exchange. That information will be provided for two different setups and three different scenarios. A quick spoiler, the tables for Microsoft Intune standalone and Microsoft Intune hybrid are identical.
Overview
Let’s have a look at the mentioned overview tables for Microsoft Intune standalone and Microsoft Intune hybrid. However, before looking at the overview tables, it’s important to understand the following details about the scenarios.
- After user setting up email profile – This scenario is applicable when the end-user wants to configure email on a device that is not enrolled;
- After user enrolling blocked device – This scenario is applicable when the end-user wants to get email on a device that’s just enrolled, or just remediated;
- After user un-enrolling device – This scenario is applicable when the end-user has un-enrolled its device.
Microsoft Intune standalone
Below is the overview table for Microsoft Intune standalone.
After user setting up email profile | After user enrolling blocked device | After user un-enrolling device | |
Exchange Online | Device is blocked immediately | Device is unblocked within 2 minutes | Device is blocked after around 6 hours |
Exchange on-premises | Device is blocked after around 1-3 hours | Device is unblocked within 2 minutes | Device is blocked after around 1-3 hours |
Note: The legacy Exchange Online Dedicated is identical to Exchange on-premises.
Microsoft Intune hybrid
Below is the overview table for Microsoft Intune hybrid.
After user setting up email profile | After user enrolling blocked device | After user un-enrolling device | |
Exchange Online | Device is blocked immediately | Device is unblocked within 2 minutes | Device is blocked after around 6 hours |
Exchange on-premises | Device is blocked after around 1-3 hours | Device is unblocked within 2 minutes | Device is blocked after around 1-3 hours |
Note: The legacy Exchange Online Dedicated is identical to Exchange on-premises.
More information
For more information about managing email access via Microsoft Intune standalone or Microsoft Intune hybrid, please refer to:
- Manage email access with Microsoft Intune: https://technet.microsoft.com/en-us/library/dn705841.aspx
- Conditional Access for Exchange Email in Configuration Manager: https://technet.microsoft.com/en-us/library/mt131421.aspx
Nice post, thanks.
So, am correct in thinking here that if i were to turn on Conditional Access, and add users into the group for which it was targeted, their devices would NOT get blocked?
Im testing and this seems to be the case. Its as if once the sync has been set up initially, then its set up and doesn’t get blocked. Is this expected behavior?
Note: I have 2 devices which still have access, i wiped a third and set up mail from scratch and conditional access policies do seems to be applying to the fresh device only..
When a user is member of the targeted group, the user will get blocked when the device is not enrolled and not compliant.
When a user is member of the exempted group, the user will not get blocked via conditional access.
Once an device is un-enrolled, it can take up to 6 hours before the device is blocked.
Thanks for the great post.
Is the “up to 6 hrs” gap from when a device is un-enrolled, due to the Intune’s policy refresh re-try rate (similar to: if newly enrolled device doesn’t get its policies immediately, Intune tries again in 6hrs for iOS/ 8 hrs for Android)? Or is that a sync interval determined by Exchange. ??
Thanks in advance.
Hi Ken,
To my knowledge that’s related to the sync with Exchange.
Regards, Peter