Forum Discussion
Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication
I will also add that I test successfully with Outlook for Android and can setup both "Exchange" and "Exchange (Hybrid)" accounts. When enforcing via Conditional Access, I can successfully limit the latter to only compliant devices (which I've enrolled to Intune). That plus the fact that I have 100% positive results with the validation script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16), is making me think I'm not way out in left field.
Again, the "Configure Hybrid Modern Authentication" article doesn't make any changes to existing authentication settings on virtual directories, other than to add OAuth if necessary to MAPI, EWS, OAB, and Autodiscover. ActiveSync VD's are checked for URL's, but not checked after for OAuth (nor do I see any OAuth properties on my ActiveSync VD's).
So I feel like HMA out of the box, without any additional disabling of other auth. mechanisms on your VD's, is available, but not enforced. This would be ideal for a smooth rollout. And if it's actually like this, then this is a big selling point to enabling HMA which I don't see getting sold at all, anywhere.
Last point I want to add is that my pre-existing and new setups via the Gmail app, i.e. basic auth, continue to work without issue, post-enabling HMA.
- Jeremy, thank you for sharing your experience. I'm working on the planning stages of implementing HMA and had the same questions. Documentation hasn't changed much since when you went through this last year unfortunately so this really helps alleviate some of the concern I had.
bbolling2342 I'm glad it helped, and also nice to have another person present in my thread, so I'm not just on an island by myself bantering:).
Since this other topic is fresh for me, a similar and commonly unknown/unsure topic in this realm is the one that was announced here: Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile
It's not related to this thread, to confirm. I just am sharing to point out that you can target specific users with Conditional Access policies in order to allow them to use the Outlook app, requiring either or both the device to be managed/compliant and an Intune App Protection policy to be applied, all while NOT targeting other users, and still have those other users be unallowed to use the Outlook app, by relying on Device Access Rules in EXO. The users who are targeted by the CA policies will simply bypass the EXO Device Access Rules. This is a big deal for customers who have historically disallowed the Outlook mobile app but are now trying to make the switch. That process is now a walk in the park.
The big parallel between these two topics is that the Exchange Team has managed to enable customers to granularly roll out some pretty big changes, WITHOUT impacting existing clients/devices. Both topics are fairly lengthy and a little convoluted, so it's easy to miss the great deal that they did accomplish for customers. For this, praise to the The_Exchange_Team .
