Changes to the Intune Exchange On-Premises Connector

If we enable HMA how does it impact the end users using outlook2010, 2013,2016(Prerequisites says from outlook 2013 it supports) .we are using legacy protcols like imap, pop3 whether it will be impacted. 

@Kiran2150 enabling HMA doesn't disable legacy auth. It's additional.

So basically that means users could use native app as well as outlook mobile app, the latter having the advantage of IAP + CA over the former?

HMA in Outlook iOS requires data to be 'synced' to Exchange Online - any way to avoid this and ensure data is still on-prem, or do we need to use the natve mail client?

@RahulSingh, correct. Have a look at our Intune App Protection and Conditional Access with HMA doc to learn more about these features.

@apnet1205 - Outlook for iOS and Android (Outlook mobile) has always been a cloud-backed application. Processing information in our service fabric enables advanced features and capabilities, such as the categorization of email for the Focused Inbox, improved search speed, artificial intelligence scenarios, and more. It enhances Outlook’s performance and stability, relying on the Outlook service for intensive processing and minimizing the resources required from users' devices. Lastly, it allows Outlook to build features that work across all email accounts, regardless of the technological capabilities of the underlying messaging platforms (e.g. different versions of Exchange, 3rd party email systems like Yahoo! Mail and Gmail, etc.). There are no plans to provide an Outlook mobile experience that does not rely on cloud integration.

But let's break this down. What do you have today? You have a on-premises Exchange server and a mobile EAS device (and possibly laptops with Outlook cached mode). The mobile EAS device contains a portion of the user's mailbox data. This mobile EAS device (and laptop!) roams wherever the user goes - in-country, out-country, etc. All changes that the user enacts on the mobile device are synced to the on-premises Exchange server which is considered the authoritative source. 

Now let's look at the Outlook mobile architecture (http://aka.ms/hmaom). You have a mobile app, EXO, and on-premises Exchange. What is EXO in this scenario? It's nothing more than the mobile EAS device in the previous example - it syncs a portion of the mailbox data from on-premises using EAS. The authoritative source is still on-premises Exchange (e.g, message transport occurs via on-premises). Outlook+EXO = "mobile EAS device". And you get all the benefits from a security, privacy, and compliance perspective that O365 provides. Plus, you get additional capabilities like Conditional Access and Intune App Protection Policies that you may not have available with traditional EAS clients, which further protects the data on the physical device and ensures only trusted users gain access to the data.

In the event you have a legal requirement that a portion of the mailbox data cannot reside in a cloud service (but again challenge the notion if the authoritative and complete source remains on-premises and traditional EAS mobile devices are allowed out of country!), then yes, the native mail clients are your only option (remember, there are other third-party client apps out there that sync data to cloud repositories).

This feels premature.  It should coincide directly with Exchange 2010 EOL and nothing else sooner.

I alteady read the docs several times but to me it isn‘t still not clear if I could block native iOS and Android Clients in this scenario:

- I still have alot of onpremise Mailboxes

- HMA is enabled

- no Exchange connector

On this page https://docs.microsoft.com/de-de/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth... I can find the information:

„When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android as the only email app for end users, they can configure a conditional access policy that blocks other mobile access methods“

Ok, sounds good but when I read on a little bit further I can read

„In order to block other mobile device clients (such as the native mail client included in the mobile operating system) from connecting to your on-premises environment (which authenticate via basic authentication against on-premises Active Directory), you have two options: 1. Exchange mobile device access rules or 2. Install the Exchange Connector.

So can I block native mail apps only with HMA including the correct access policies (but without the Ex Connector)?

Thank you in advance,

best regards!

@Axel7 - yes, you can block native EAS apps using conditional access. Create the policies outlined in https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-androi.... 

What is the fastest way to setup onprem mailboxes to sync via the outlook for ios app?

WE have a fully functional conditional access policy for mandatory compliance + usage of outlook of ios app to sync mails for the 0365 residing mailboxes.

We are not keen on using the native email client, as it uses only a basic auth.

@ramattack see https://aka.ms/hmaom