Blog Post

Exchange Team Blog
4 MIN READ

Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile

The_Exchange_Team's avatar
Jun 19, 2020

Update: the change mentioned in this article has been rolled out to all commercial tenants.

Many of you may rely on Exchange Online mobile device access rules to ensure that only approved devices (or apps) access your messaging data. By default, an Exchange Online tenant allows access for all mobile devices. Admins can change this behavior to either block or quarantine devices with the following cmdlet:

 

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel <Allow,Quarantine,Block>

 

Exchange mobile device access rules can even be used to manage Outlook for iOS and Android; see Block all email apps except Outlook for iOS and Android for examples.

Likewise, many of you have moved away from leveraging Exchange mobile device access rules and moved to a more comprehensive solution – Azure AD Conditional Access policies.

What you may not know is the interaction between Exchange’s mobile device access rules and Azure Active Directory Conditional Access policies when using Outlook for iOS and Android. This article describes how these policies work today and what is changing in August 2020.

Current behavior

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

For example, let’s say in your tenant you have no conditional access policies targeting iOS or Android devices, but you have a policy that ensures Windows devices are managed. This conditional access policy targets the Windows platform and leverages the following grant access controls:

With this configuration, you may expect that Outlook for iOS and Android would be subject to Exchange’s mobile device access policies because there are no conditional access policies in play for iOS and Android devices. However, that’s not the case. When Outlook for iOS and Android connects to Exchange Online, Exchange Online executes a Graph API call to Azure AD and determines that there are conditional access policies associated with the user and skips the processing of the Exchange device access policies. You can see this by querying the device in Get-MobileDeviceStatistics as the DeviceAccessStateReason is set to ExternallyManaged:

 

Get-MobileDeviceStatistics -mailbox Natasha | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | fl LastSuc*,DeviceAccess*
LastSuccessSync         : 6/9/2020 10:35:13 PM
DeviceAccessState       : Allowed
DeviceAccessStateReason : ExternallyManaged
DeviceAccessControlRule :

 

Future behavior

Obviously, that is not the desired behavior. Beginning in August 2020, we are rolling out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s mobile device access rules for Outlook for iOS and Android devices. Specifically, only Conditional Access policies configured with the following conditions and grant access controls will prevent Exchange mobile device access rules being applied to Outlook for iOS and Android:

  • Cloud app condition: Exchange Online or Office 365
  • Device platform condition: iOS and/or Android
  • Client apps condition: Mobile apps and desktop clients
  • One of the following Grant access controls: Require device to be marked as compliant, Require approved client app, Require app protection policy

For more information on these grant access controls, see Conditional Access: Grant.

The good news is that if you are utilizing one (or more of) these grant access controls with the appropriate conditions, your Outlook for iOS and Android users will not be affected.

However, if you are utilizing Conditional Access policies that do not leverage the appropriate conditions and grant access controls and have configured the mobile device access level within Exchange Online to block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented. By default, the mobile device access level in Exchange Online is set to allow. You have a few different options on how you can remediate this prior to the change:

  1. Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android.
  2. Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
  3. Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox. An example script is provided that can be modified to automate this:

 

$mbxs = Get-CASMailbox -Filter { HasActiveSyncDevicePartnership -eq $true } -ResultSize 10000
foreach($mbx in $mbxs)
{
$IDList = Get-EXOMobileDeviceStatistics -Mailbox $mbx.id | where {$_.LastSuccessSync -ge "2020-06-01" -and $_.DeviceModel -eq "Outlook for iOS and Android"}
If(!$IDList) { continue }
foreach($ID in $IDList) {$mbx.ActiveSyncAllowedDeviceIDs += $ID.DeviceID}
Set-CasMailbox $mbx.Id -ActiveSyncAllowedDeviceIDs $mbx.ActiveSyncAllowedDeviceIDs
}

 

  1. Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
  2. Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

We believe the changes we’re implementing are the right approach for improving the overall security for Outlook for iOS and Android devices by only skipping Exchange mobile device access rules when the device is managed by Intune. If you have any questions, please let us know.

Ross Smith IV

Updated Feb 08, 2021
Version 9.0