Forum Discussion
Conditional Access Policy for Exchange
Hello Everyone,
Previously, our on-premises Exchange was restricted to the internal network. After configuring HMA with Exchange Online, users can now authenticate and access their mailboxes from the Internet.
We aim to enforce a conditional access policy to block Exchange access from the Internet for all users except a selected group. These selected users should only access Exchange from Intune-enrolled phones.
During testing, a policy blocking a user from Exchange Online also prevented access from the internal network, likely due to the HMA setup.
Could you provide guidance on addressing this? Thanks.
“We aim to enforce a conditional access policy to block Exchange access from the Internet for all users except a selected group.” - You are probably looking at 2 policies here. The first one will involve blocking access to EXO for all network location excluding known networks and by excluding the user group in question. “These selected users should only access Exchange from Intune-enrolled phones.” - This will be the 2nd policy for allowing access to cloud resources\EXO for the selected group of users leveraging Intune device compliance state.
Thanks for your response.
After configuring HMA, we observed that blocking EXO access also restricts users from accessing Exchange On-Prem from the internal network. This happens because authentication now routes through EXO for internal users after enabling HMA. Could you advise on how to block access from the internet while still allowing internal access in this scenario?
Additionally, could you share detailed steps for creating a Conditional Access policy to allow access from Intune-enrolled devices?
Thanks again!
