Home

A strange behaior of Conditional Access for Exchange On-premises

%3CLINGO-SUB%20id%3D%22lingo-sub-280355%22%20slang%3D%22en-US%22%3EA%20strange%20behaior%20of%20Conditional%20Access%20for%20Exchange%20On-premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280355%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BHi%20all%2C%3C%2FP%3E%3CP%3EI%20would%20like%20to%20confirm%20a%20behavior%20of%20Intune%20Conditional%20Access%20for%20Exchange%20On-premises.%20My%20company%20has%20Exchange%202013%20%2B%20Intune%20Connector%20setup%2C%20and%20enabled%20Conditional%20Access%20for%20Exchange%20On-premises.%20Global%20setting%20is%20block%20access.%20Everything%20is%20working%20fine%20except%20the%20following%20case.%20I%20am%20not%20sure%20this%20is%20a%20bug%20or%20by%20design.%20Please%20help%20me%20take%20a%20look.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETest%20case%3A%3C%2FP%3E%3CP%3EUser%20A%E2%80%99s%20device%20is%20enrolled%20with%20Intune.%3C%2FP%3E%3CP%3EUser%20A%20is%20using%20iOS's%20native%20Mail%20app%20to%20access%20his%20own%20mailbox.%3C%2FP%3E%3CP%3ENow%2C%20in%20the%20Mail%20app%2C%20he%20can%20add%20another%20user's%20account%20(user%20B)%20of%20the%20same%20company%2C%20and%20access%20the%20email.%3C%2FP%3E%3CP%3EIn%20result%2C%20he%20only%20enrolled%20one%20device%20with%20his%20own%20account%20(user%20A)%2C%20but%20can%20access%20both%20user%20A%20and%20user%20B's%20mailboxes%20on%20the%20same%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20restrict%20this%20behavior.%20On%20the%20enrolled%20device%2C%20we%20want%20only%20the%20device%20owner%20to%20access%20his%20own%20mailbox%2C%20not%20his%20colleague's%20mailbox.%20Is%20this%20something%20doable%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-280355%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308366%22%20slang%3D%22en-US%22%3ERe%3A%20A%20strange%20behaior%20of%20Conditional%20Access%20for%20Exchange%20On-premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308366%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20user%20B%20licensed%20for%20Microsoft%20Intune%3F%20If%20not%2C%20try%20to%20license%20user%20B%20and%20see%20if%20the%20behavior%20changes.%3CBR%20%2F%3EYou%20may%20also%20have%20to%20license%20user%20B%20with%20Azure%20AD%20Premium%20P1%20or%20greater%20in%20order%20for%20this%20to%20work%2C%20though%20I've%20never%20actually%20been%20able%20to%20confirm%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20check%20that%20your%20scope%20includes%20user%20B.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308321%22%20slang%3D%22en-US%22%3ERe%3A%20A%20strange%20behaior%20of%20Conditional%20Access%20for%20Exchange%20On-premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308321%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Andrew%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20tested.%20Even%20with%20Outlook%20for%20iOS%20with%20Intune%20enrolled%20device%2C%20we%20can%20still%20add%20the%20second%20email%20account%20and%20access%20the%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-284192%22%20slang%3D%22en-US%22%3ERe%3A%20A%20strange%20behaior%20of%20Conditional%20Access%20for%20Exchange%20On-premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-284192%22%20slang%3D%22en-US%22%3E%3CP%3EI%20congratulate%20your%20bravery%20in%20using%20the%20On-Premise%20Exchange%20Conditional%20Access%20connector!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETry%20switching%20to%20the%20Outlook%20app%20and%20applying%20a%20MAM%20policy.%20That%20should%20stop%20users%20adding%20more%20than%20one%20account%20to%20the%20same%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E
hanbin yang
New Contributor

 Hi all,

I would like to confirm a behavior of Intune Conditional Access for Exchange On-premises. My company has Exchange 2013 + Intune Connector setup, and enabled Conditional Access for Exchange On-premises. Global setting is block access. Everything is working fine except the following case. I am not sure this is a bug or by design. Please help me take a look.

 

Test case:

User A’s device is enrolled with Intune.

User A is using iOS's native Mail app to access his own mailbox.

Now, in the Mail app, he can add another user's account (user B) of the same company, and access the email.

In result, he only enrolled one device with his own account (user A), but can access both user A and user B's mailboxes on the same device.

 

We want to restrict this behavior. On the enrolled device, we want only the device owner to access his own mailbox, not his colleague's mailbox. Is this something doable?

 

 

 

3 Replies

I congratulate your bravery in using the On-Premise Exchange Conditional Access connector!

 

Try switching to the Outlook app and applying a MAM policy. That should stop users adding more than one account to the same device.

Hi Andrew,

 

We have tested. Even with Outlook for iOS with Intune enrolled device, we can still add the second email account and access the mailbox.

Is user B licensed for Microsoft Intune? If not, try to license user B and see if the behavior changes.
You may also have to license user B with Azure AD Premium P1 or greater in order for this to work, though I've never actually been able to confirm this.

 

Also, check that your scope includes user B.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies