Home

Logging for conditional access

%3CLINGO-SUB%20id%3D%22lingo-sub-308471%22%20slang%3D%22en-US%22%3ELogging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308471%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20policy%20set%20up%20to%20only%20allow%20compliant%20mobile%20devices%20to%20access%20Exchange%20Active%20Sync.%20When%20reviewing%20access%20logs%20I%20show%20Not%20Applied%20under%20the%20logs%2C%20and%20device%20info%20is%20blank%20for%20compliance.%20It%20also%20shows%20Mobile%20Safari%20for%20the%20browser%20info.%20Is%20the%20what%20I%20should%20expect%20in%20the%20logs%3F%20User%20is%20accessing%20mail%20in%20the%20default%20iOS%20mail%20app%20on%20the%20device.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64581i448BC50C05E7FB85%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20policy%20is%20set%20to%20cover%20all%20users%3C%2FP%3E%3CP%3ECloud%20apps%3A%20Exchange%20Online%3C%2FP%3E%3CP%3EConditions%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64582i6922F3662FC43AF1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture1.PNG%22%20title%3D%22Capture1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64583i2F8DA75BBBAD3B66%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture2.PNG%22%20title%3D%22Capture2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccess%20Controls%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20288px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64584iD1F1FCF2B506ABFF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Capture3.PNG%22%20title%3D%22Capture3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-308471%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309950%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309950%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20finished%20testing%20and%20it%20absolutely%20did.%20End%20users%20have%20to%20go%20into%20the%20passwords%20section%20on%20thier%20phones%20settings%20and%20re-enter%20the%20password%2C%20which%20then%20prompts%20them%20to%20allow%20iOS%20Accounts%20to%20access%20office%20365%20with%20certain%20permissions%2C%20and%20after%20acceptance%20the%20logging%20shows%20our%20policies%20now%20being%20applied.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309948%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309948%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20catch!%20Let%20us%20know%20if%20this%20resolves%20the%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309926%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309926%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20I%20may%20have%20come%20across%20root%20cause%20on%20this.%20From%20what%20I%20am%20reading%20even%20after%20iOS%20default%20mail%20app%20was%20updated%20to%20work%20with%20OAuth%20it%20did%20not%20work%20with%20modern%20auth%20if%20the%20profile%20was%20pushed%20to%20the%20device%20by%20intune.%20They%20have%20supposedly%20corrected%20this%20issue.%20I%20do%20see%20a%20new%20checkbox%20in%20the%20intune%20device%26nbsp%3Bconfiguration%20that%20we%20push%20that%20enables%20OAuth.%20I%20will%20create%20a%20test%20policy%20with%20that%20checkbox%20enabled%20and%20apply%20it%20to%20our%20test%20user%20group%20to%20see%20if%20this%20resolves%20the%20issue.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20565px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64854iD5A865743B1A84F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309700%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309700%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20in%20that%20case%20you%20can%20disregard%20my%20comment%20about%20the%20on-premise%20connector%2C%20it's%20not%20required%20when%20using%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309531%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309531%22%20slang%3D%22en-US%22%3E%3CP%3EAll%20of%20our%20Mailboxes%20are%20hosted%20in%20the%20cloud.%20Our%20on%20premises%20server%20is%20used%20for%20management%20purposes%20only.%20We%20do%20not%20use%20the%20connector.%20Does%20this%20matter%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309040%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309040%22%20slang%3D%22en-US%22%3E%3CP%3EPerfect%2C%20thanks.%20So%20we%20know%20that%20modern%20authentication%20is%20enabled%20at%20the%20organization%20level%20and%20the%20user%26nbsp%3Bhas%20an%20email%20client%20that%20supports%20it.%20Next%2C%20I%20would%20verify%20that%20the%20Exchange%20on-premise%20connector%20is%20setup%20and%20functioning%20as%20intended.%20One%20more%20thing%20to%20consider%20is%20that%20Microsoft%20advises%20to%20create%20two%20separate%20conditional%20access%20policies%20to%20protect%20both%20Modern%20Authentication%20clients%20and%20Exchange%20ActiveSync%20clients.%20So%2C%26nbsp%3Bthis%20might%20be%20worth%20a%20try%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309015%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309015%22%20slang%3D%22en-US%22%3EFrom%20the%20device%20itself%2C%20when%20you%20set%20up%20email%2C%20if%20you%20are%20using%20modern%20authentication%20you%20should%20get%20some%20type%20of%20web%20interaction%20I%20believe.%3CBR%20%2F%3E%3CBR%20%2F%3Eby%20default%20in%20iOS%20it%20will%20attempt%20to%20do%20modern%20authentication%20before%20it%20does%20AS%2C%20but%20it%20will%20default%20back%20to%20AS.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308991%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308991%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254026%22%20target%3D%22_blank%22%3E%40eglockling%3C%2FA%3E%26nbsp%3Bdevice%20is%20iOS%2012.1%20and%20this%20is%20what%20I%20see%20when%20I%20run%20a%20Get-OrganizationConfig%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20486px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F64676iA4C3BD3CEEAB55C9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308986%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308986%22%20slang%3D%22en-US%22%3E%3CP%3EEAS%20does%20support%20modern%20authentication%2C%26nbsp%3Bjust%20limited%20when%20it%20comes%20to%20Conditional%20Access.%20You're%20definitely%20asking%20the%20right%20question%20though.%20It%20appears%20as%20though%20legacy%20authentication%20could%20be%20in%20use%2C%20which%20is%20why%20the%26nbsp%3Bconditional%20access%20policy%20isn't%20applied.%26nbsp%3B%3CSPAN%3EMail%20for%20iOS%2011.3.1%20or%20later%20supports%20modern%20authentication%2C%20so%20I%20would%20suggest%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F452%22%20target%3D%22_blank%22%3E%40Robert%20Woods%3C%2FA%3E%20confirm%20the%20iOS%20version%20of%20the%20device%20to%20ensure%20it%20will%20comply.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308532%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20for%20conditional%20access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308532%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20sure%20you%20are%20using%20modern%20authentication%3F%26nbsp%3B%20Generally%20I%20think%20AS%26nbsp%3Bdoes%20not%20use%20modern%20authentication.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Robert Woods
Super Contributor

I have a policy set up to only allow compliant mobile devices to access Exchange Active Sync. When reviewing access logs I show Not Applied under the logs, and device info is blank for compliance. It also shows Mobile Safari for the browser info. Is the what I should expect in the logs? User is accessing mail in the default iOS mail app on the device. 

 

Capture.PNG

 

My policy is set to cover all users

Cloud apps: Exchange Online

Conditions: 

Capture1.PNGCapture2.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Access Controls: 

Capture3.PNG

10 Replies

Are you sure you are using modern authentication?  Generally I think AS does not use modern authentication.  

EAS does support modern authentication, just limited when it comes to Conditional Access. You're definitely asking the right question though. It appears as though legacy authentication could be in use, which is why the conditional access policy isn't applied. Mail for iOS 11.3.1 or later supports modern authentication, so I would suggest @Robert Woods confirm the iOS version of the device to ensure it will comply.

@eglockling device is iOS 12.1 and this is what I see when I run a Get-OrganizationConfig

 

Capture.PNG

From the device itself, when you set up email, if you are using modern authentication you should get some type of web interaction I believe.

by default in iOS it will attempt to do modern authentication before it does AS, but it will default back to AS.

Perfect, thanks. So we know that modern authentication is enabled at the organization level and the user has an email client that supports it. Next, I would verify that the Exchange on-premise connector is setup and functioning as intended. One more thing to consider is that Microsoft advises to create two separate conditional access policies to protect both Modern Authentication clients and Exchange ActiveSync clients. So, this might be worth a try as well.

All of our Mailboxes are hosted in the cloud. Our on premises server is used for management purposes only. We do not use the connector. Does this matter?

No, in that case you can disregard my comment about the on-premise connector, it's not required when using Exchange Online.

I think I may have come across root cause on this. From what I am reading even after iOS default mail app was updated to work with OAuth it did not work with modern auth if the profile was pushed to the device by intune. They have supposedly corrected this issue. I do see a new checkbox in the intune device configuration that we push that enables OAuth. I will create a test policy with that checkbox enabled and apply it to our test user group to see if this resolves the issue. 

 

Capture.PNG

Good catch! Let us know if this resolves the problem.

Just finished testing and it absolutely did. End users have to go into the passwords section on thier phones settings and re-enter the password, which then prompts them to allow iOS Accounts to access office 365 with certain permissions, and after acceptance the logging shows our policies now being applied. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies