Blog Post

Exchange Team Blog
4 MIN READ

Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 19, 2020
Update: the change mentioned in this article has been rolled out to all commercial tenants. Many of you may rely on Exchange Online mobile device access rules to ensure that only approved devices (...
Updated Feb 08, 2021
Version 9.0
announcements
exchange online
Martijn Tigchelaar's avatar
Martijn Tigchelaar
Copper Contributor
Feb 04, 2021

Good day to all,

 

unfortunately the underlying issues that have been introduced due to this "bug" in Conditional Access are not addressed at all by the changes that Microsoft has been rolling out.  I may have missed it - but what I am not seeing in Microsoft's communication on this topic is that, specifically for ActiveSync-based mailbox access, Exchange Online was not just "ignoring" or "bypassing" any configured restrictions such as ActiveSync quarantine!  Instead, unauthorized ActiveSync clients were actively being authorized.  And they therefore still are! 

 

Organizations that were using ActiveSync quarantining will be able to see that the Mobile Device Status for any instance of "Outlook mobile" that was used during the period that this "bug" in Conditional Access has existed was automatically changed from "Quarantined" to "Access granted".  Those entries still exist today - and they will continue to be valid until removed!

 

When you take into consideration that the "device id" for an instance of the Outlook mobile app may change when the app is upgraded, that also means that when the app is not upgraded the "device id" stays the same - and therefore the "Access granted" status for that "device id" continues to be valid...

 

So with pushing out these changes Microsoft is only preventing that MORE unauthorized instances of Outlook mobile get added to your tenants - but they are not cleaning up the mess they created in the first place.

 

Now I have put that word “bug” between quotes because I do not believe this was a mistake.  The timing / period over which this has happened and some of the other things Microsoft has done make me think that this was all part of a deliberate campaign to boost usage and acceptance of the Outlook for mobile app.  Maybe it is just me being cynical.  But this issue has been in place since at least December 2019 and it nicely overlaps with campaigns Microsoft has been running to promote the use of Outlook for mobile.  Remember the unsolicited banners that showed up in Outlook on the desktop last spring?  That's just one example.  The fact that Outlook mobile uses it's own "device id"?  That's crazy.  It's an app - not a device.  These are choices.  Bad choices.  One could argue these choices were made deliberately in an attempt to circumvent the capabilities of non-Microsoft MDM solutions like AirWatch.