I am trialling Intune, with a view to it being used at the company I work for. One of the features we are particularly keen on is conditional access - we want the ability to limit Office 365 email access only to devices that we have enrolled in Intune.
I've setup the conditional access as per the attached images and we are still having an issue. While access from the native mail app and from the browser are both blocked (from a test iPhone), one third-party app in particular, Edison Mail, can still be setup with our dummy 365 account.
Testing with the below mail apps on iOS, they all were unable to use the dummy 365 account, but I notice that they all directed you during the account setup to the login webpage that you are also presented with when you setup email on the native iOS mail app. Edison Mail simply asks for your O365 email address and password from within the UI of the app itself, not a Microsoft 'in browser' loin page.
My understanding is that in selecting the "Require approved client app", this would limit access only to the apps listedhere.
Can you offer any guidance on why this one particular app is not getting rejected access to Exchange Online, like the other apps?
Thanks for your assistance, I believe with your help I've resolved the issue.
I created a new conditional access policy, with a condition to apply the policy to "Exchange ActiveSync Clients" or "Other clients" - this one is set to block access, rather than grant. From your findings with Edison that it doesn't MFA, I assume that it therefore falls under the "Other clients".
What I still don't understand is why a device we tested with that wasn't enrolled in Intune was still able to use Edison. I assumed that the first policy I created to grant access, with the requirement that a device was compliant in Intune, would, mean that other devices that tried to connect which weren't compliant would get blocked.
Anyway - we are glad that it is setup now with the desired behaviour! Many thanks again!