Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile

Ross Smith IV whether or not Outlook mobile uses the Exchange ActiveSync protocol did become irrelevant when you continued to use the term "ActiveSync" all over the place.  At least when using the terms "activesync" and "quarantine" most people who have been around for a while will know where to look in their environments.

The point I was making is that this statement from the original posting above does appear to be incorrect:

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

It appears to be the case that Exchange Online did not just "skip" the processing of any mobile device access rules.  Instead, the mobile device access was actually permanently approved.  A new entry was added to the list of devices / apps to explicitly and permanently grant access to the device ID in question for the particular Outlook mobile instance.  Those entries still exist today and will continue to exist until cleaned up.  And that means that any Outlook mobile instance that was granted access due to this mishap, will continue to have access until either the app is upgraded or the explicitly granted access is removed.

So it makes me wonder about this part of your response:

With the change highlighted in this article, if an Outlook mobile was previously allowed to connect by an incorrect Conditional Access policy, with this change, that same Outlook mobile client would be blocked by the Exchange Online mobile device access policy (if set to quarantine/block) and that device ID was not already defined in the user's ActiveSyncAllowedDeviceIDs.

You appear fairly certain that what we are seeing in our environment did not actually happen - or has nothing to do with the CA issue that has been resolved.  But we have plenty of reason to believe that it did.  One clear indicator is that over the past 2 days, after a new version of the Outlook mobile app was released on February 2, we suddenly have hundreds of users reporting that their (unauthorized) Outlook mobile app has stopped working.  I am pretty certain that their Outlook mobile app has stopped working because of the combination of the following two things:

1. The issue in Conditional Access has been resolved, and access using any version or instance of Outlook mobile is no longer automatically granted (but existing access that was added due to the CA issue was still valid)
2. The Outlook mobile app was upgraded - and uses a new device id, making any access that was previously granted due to the CA issue, invalid.

The information provided by Microsoft, combined with what we are actually seeing "in the field" appear to indicate that you are wrong.  There is more to the story than what you are revealing.  The fix that has been deployed may have put out the fire - but the customer environments still need urgent cleanup because there is no guarantee that all users of Outlook mobile will upgrade their app instance - and that in turn will mean that they will continue to have unauthorized access because your bug in Conditional Access granted it in the first place.