At Microsoft Ignite, Outlook for iOS and Android announced support for deploying managed device account setup configuration settings for Office 365 mailboxes and on-premises mailboxes leveraging hybrid modern authentication. This capability leverages either the Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration detail. This functionality was delivered to facilitate large scale deployments of the leading, secure email client which is known to be loved by users and trusted by IT. Today, we are announcing the availability of new functionality within the Intune that enables admins to easily deploy account setup configuration to Outlook for iOS and Android for modern authentication capable accounts via App Configuration Policies. Figure 1: App Configuration Policy for Outlook for Android on Android Enterprise devices from https://devicemanagement.microsoft.com. If you're in https://portal.azure.com, then you'll go to Intune -> Client apps -> app configuration policies and add a config policy.  With this new policy experience, administrators can simply push Outlook account setup details to their user’s enrolled mobile devices. This updated policy experience combines the prior experience and provides administrators with a choice depending on your messaging environment:

  1. If the messaging environment is on-premises and not leveraging hybrid modern authentication (basic authentication), then the authentication type needs to be set to Basic authentication. Additional details like Email Server, Username attribute, and Email address attributes are required.
  2. If the messaging environment is Office 365 or an on-premises environment leveraging hybrid modern authentication, then the authentication type needs to be set to Modern authentication. The admin only needs to define the Username attribute and Email address attributes. Modern authentication capable accounts also support the ability for the admin to restrict Outlook for iOS and Android to only allow the work or school account; for more information see “Organization allowed accounts mode” in Setup with modern authentication.
Note that for Outlook for iOS and Android to apply these settings, the app needs to be installed and managed by the Company Portal. We hope you enjoy this new policy experience available within the Intune portal  for Outlook for iOS and Android. Up next is general app configuration. That’s right, Outlook for iOS and Android will soon support managing and configuring Outlook for iOS and Android features such as Focused Inbox and contact synchronization capabilities. Stay tuned! Ross Smith IV Principal Program Manager Customer Experience Engineering Frequently asked questions: Q: What if we are not using Intune to manage device enrollment, but instead are leveraging a third-party MDM solution? Not to fear, we have you covered. These settings can be delivered via any MDM provider. For more information on the configuration keys you need to use, see the following articles: Q: Can I deploy account setup configuration to Outlook for iOS and Android if the device is not enrolled? No, unfortunately, that is not possible. Enrolled devices provide the identity and information necessary for configuring the app. Q: What if I had already deployed the configuration keys manually in an App Configuration Policy; do I need to do anything? No! The keys will be automatically consumed in the new policy experience. Q: How do I create an App Configuration Policy for Outlook for iOS or Outlook for Android? We’ll be updating Deploy app config settings to include the new policy experience, but you can also review Add app configuration policies for managed iOS devices and Add app configuration policies for managed Android devices. Q: Wait – I see the setting “Block External Images” but it’s not working on the device. Surprise, you caught us! This is unfortunately an UX bug that exposed a setting that is not yet available (configuring the setting will not have any impact in Outlook for iOS). Please stay tuned, we’ll have more to share soon.

Not applicable
i love to see the progress. as we are speaking about intune and its capabilities to manage the outlook mobile app. a customer of mine, with exchange on-premises and the exchange connector deployed. Wants/Needs to utilize the conditional access capabilities - to block all unmanaged devices from synchronizing. He really wants to introduce the outlook mobile app as company mail client on their phones, but as of my last testing’s he can’t. Because the conditional access policies from the on-premises connector blocks the active sync device partnership, even if the outlook mail profile is configured through intune (legacy configuration keys were used). The conditional access policy currently allows only the native mail apps (iOS Mail, GMail and Nine for Work). Is this still “as is” or are there some more hidden features with this new app configuration experience? Thanks, and cheers
Not applicable
Are there any plans to add the ability for the Outlook app to access shared folders and calendars in on-premises environments? I've read the O365 allows shared access via the Outlook app, but not for on-prem.
Not applicable
@Proed - In order to take advantage of AAD Conditional Access and Intune App Protection policies with Outlook mobile, you must setup hybrid modern auth; see http://aka.ms/hmaom for more information. There are no plans to support Outlook mobile with the Intune Exchange Connector.
Not applicable
@Tseeker99 - There are no plans for shared mailbox or calendar access with on-premises accounts. The ActiveSync protocol does not support this capability.
Not applicable
I am a bit puzzled as the OWA app was able to connect to both shared mailboxes and shared calendars. As that app has been deprecated and is no longer available, what are our options to restore that functionality or at least simulate it?