Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile

Published Jun 19 2020 09:00 AM 62.7K Views

Update: the change mentioned in this article has been rolled out to all commercial tenants.

Many of you may rely on Exchange Online mobile device access rules to ensure that only approved devices (or apps) access your messaging data. By default, an Exchange Online tenant allows access for all mobile devices. Admins can change this behavior to either block or quarantine devices with the following cmdlet:

 

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel <Allow,Quarantine,Block>

 

Exchange mobile device access rules can even be used to manage Outlook for iOS and Android; see Block all email apps except Outlook for iOS and Android for examples.

Likewise, many of you have moved away from leveraging Exchange mobile device access rules and moved to a more comprehensive solution – Azure AD Conditional Access policies.

What you may not know is the interaction between Exchange’s mobile device access rules and Azure Active Directory Conditional Access policies when using Outlook for iOS and Android. This article describes how these policies work today and what is changing in August 2020.

Current behavior

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

For example, let’s say in your tenant you have no conditional access policies targeting iOS or Android devices, but you have a policy that ensures Windows devices are managed. This conditional access policy targets the Windows platform and leverages the following grant access controls:

CAChanges01.jpg

With this configuration, you may expect that Outlook for iOS and Android would be subject to Exchange’s mobile device access policies because there are no conditional access policies in play for iOS and Android devices. However, that’s not the case. When Outlook for iOS and Android connects to Exchange Online, Exchange Online executes a Graph API call to Azure AD and determines that there are conditional access policies associated with the user and skips the processing of the Exchange device access policies. You can see this by querying the device in Get-MobileDeviceStatistics as the DeviceAccessStateReason is set to ExternallyManaged:

 

Get-MobileDeviceStatistics -mailbox Natasha | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | fl LastSuc*,DeviceAccess*
LastSuccessSync         : 6/9/2020 10:35:13 PM
DeviceAccessState       : Allowed
DeviceAccessStateReason : ExternallyManaged
DeviceAccessControlRule :

 

Future behavior

Obviously, that is not the desired behavior. Beginning in August 2020, we are rolling out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s mobile device access rules for Outlook for iOS and Android devices. Specifically, only Conditional Access policies configured with the following conditions and grant access controls will prevent Exchange mobile device access rules being applied to Outlook for iOS and Android:

  • Cloud app condition: Exchange Online or Office 365
  • Device platform condition: iOS and/or Android
  • Client apps condition: Mobile apps and desktop clients
  • One of the following Grant access controls: Require device to be marked as compliant, Require approved client app, Require app protection policy

For more information on these grant access controls, see Conditional Access: Grant.

The good news is that if you are utilizing one (or more of) these grant access controls with the appropriate conditions, your Outlook for iOS and Android users will not be affected.

However, if you are utilizing Conditional Access policies that do not leverage the appropriate conditions and grant access controls and have configured the mobile device access level within Exchange Online to block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented. By default, the mobile device access level in Exchange Online is set to allow. You have a few different options on how you can remediate this prior to the change:

  1. Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and A....
  2. Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
  3. Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox. An example script is provided that can be modified to automate this:

 

$mbxs = Get-CASMailbox -Filter { HasActiveSyncDevicePartnership -eq $true } -ResultSize 10000
foreach($mbx in $mbxs)
{
$IDList = Get-EXOMobileDeviceStatistics -Mailbox $mbx.id | where {$_.LastSuccessSync -ge "2020-06-01" -and $_.DeviceModel -eq "Outlook for iOS and Android"}
If(!$IDList) { continue }
foreach($ID in $IDList) {$mbx.ActiveSyncAllowedDeviceIDs += $ID.DeviceID}
Set-CasMailbox $mbx.Id -ActiveSyncAllowedDeviceIDs $mbx.ActiveSyncAllowedDeviceIDs
}

 

  1. Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
  2. Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

We believe the changes we’re implementing are the right approach for improving the overall security for Outlook for iOS and Android devices by only skipping Exchange mobile device access rules when the device is managed by Intune. If you have any questions, please let us know.

Ross Smith IV

56 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1477509%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477509%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20this%20is%20a%20welcome%20change!%20I%20wrote%20an%20article%20about%20the%20current%20behaviour%20last%20year%20(%3CA%20href%3D%22https%3A%2F%2Fwww.gurot.com%2Fblog%2Feas-access-rules-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.gurot.com%2Fblog%2Feas-access-rules-exchange-online%3C%2FA%3E)%20and%20the%20fact%20that%20ABQ%20rules%20in%20the%20current%20implementation%20are%20pretty%20much%20useless...%20%3A(%3C%2Fimg%3E%20Also%2C%20the%20current%20implementation%20is%20very%20vaguely%20described%20in%20the%20documentation%20and%20does%20cause%20a%20lot%20of%20confusion.%20Thanks%20for%20making%20this%20change!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1478423%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1478423%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20mobile%20solutions%20are%20becoming%20mess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECustomers%20looking%20to%20manage%20Outlook%20for%20iOS%20and%20Android%20have%20the%20following%20options%3A%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3E%3CSTRONG%3ERecommended%3C%2FSTRONG%3E%3A%20The%20Enterprise%20Mobility%20%2B%20Security%20suite%2C%20which%20includes%20Microsoft%20Intune%20and%20Azure%20Active%20Directory%20conditional%20access.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EMobile%20Device%20Management%20(MDM)%20for%20Office%20365%20(free%2Fbuiltin%3F).%20%22%3CSPAN%3EMDM%20for%20Office%20365%20provides%20device%20management%20capabilities%20at%20no%20additional%20cost%3C%2FSPAN%3E%22%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EThird-party%20Mobile%20Device%20Management%20solutions.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EMobile%20Device%20Access%20and%20Mobile%20Device%20Mailbox%20Policies%20(free%2Fbuiltin%3F).%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fmanage-outlook-for-ios-and-android%23options-for-managing-devices-and-applications-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fmanage-outlook-for-ios-and-android%23options-for-managing-devices-and-applications-in-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Create%20rules%20that%20allow%20Outlook%20on%20Windows%20devices%20for%20Exchange%20ActiveSync%20connectivity%20(WP%20refers%20to%20Windows%20Phone%2C%20WP8%20refers%20to%20Windows%20Phone%208%20and%20later%2C%20and%20WindowsMail%20refers%20to%20the%20Mail%20app%20included%20in%20Windows%2010)%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3%20solutions%20from%20Microsoft%20for%20managing%20mobile%20devices%2C%20but%20there%20is%20no%20good%20diagnostics%20tool%20explaining%20what's%20going%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20question%3A%20The%20Microsoft%20built-in%20Mail%20app%20(Mail%20and%20Calendar%20in%20MS%20Store)%20-%20will%20it%20be%20affected%3F%20how%20it%20should%20be%20managed%3F%20Which%20Conditional%20Access%20policy%20should%20be%20used%3F%20Yes%2C%20this%20is%20enough%20for%20some%20of%20our%20users%2C%20as%20they%20don't%20need%20full%20Office%20%3CSTRIKE%3Epackage%3C%2FSTRIKE%3E%20price%20(security%20bonus%3A%20all%20Excel%2FWord%20macros%20are%20%22blocked%22%20%3Asmiling_face_with_smiling_eyes%3A).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490066%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129574%22%20target%3D%22_blank%22%3E%40Rafa%C5%82%20Fitt%3C%2FA%3E%26nbsp%3BI%20don't%20consider%20providing%20customers%20with%20options%20with%20varying%20degrees%20of%20different%20features%20and%20capabilities%2C%20a%20mess.%20%232%20and%20%234%20are%20built-in%20and%20available%20to%20customers%2C%20while%20%231%20and%20%233%20require%20additional%20licensing%2Fcost.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Windows%2010%20Mail%2FCalendar%20apps%20do%20use%20the%20same%20sync%20technology%20that%20Outlook%20mobile%20leverages.%20However%2C%20Windows%2010%20Mail%2FCalendar%20doesn't%20support%20Exchange%20device%20access%20rules%2C%20so%20that%20enforcement%20is%20skipped%20for%20those%20clients.%20The%20CA%20grant%20controls%2C%20Require%20approved%20client%20app%20and%20Require%20app%20protection%20policy%2C%20are%20only%20applicable%20to%20iOS%20and%20Android%20devices.%20The%20Require%20device%20to%20be%20marked%20as%20compliant%20can%20be%20used%2C%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496850%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496850%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20and%20glad%20to%20hear%20this%20is%20being%20addressed%20(the%20current%20state%20is%20news%20to%20me%20anyway).%26nbsp%3B%20I%20have%20a%20hopefully%20quick%20question%2C%20about%20the%20current%20state%2C%20and%20I%20guess%20the%20same%20question%20applies%20to%20the%20future%20state.%3C%2FP%3E%3CBLOCKQUOTE%3E%3CH2%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%3ECurrent%20behavior%3C%2FH2%3E%3CP%3EToday%2C%20if%20you%20configure%26nbsp%3Bany%26nbsp%3Bconditional%20access%20policy%20(regardless%20of%20its%20applicability%20to%20mobile%20devices)%2C%20Exchange%20Online%20will%20skip%20mobile%20device%20access%20rules%E2%80%99%20processing%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EBy%20%22any%22%2C%20does%20that%20mean%2C%20even%20regardless%20of%20any%20other%20conditions.%26nbsp%3B%20What%20I%20mean%20is%2C%20does%20the%20policy%20at%20least%20have%20to%20apply%20to%20Exchange%20Online%20as%20the%20cloud%20app%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20assuming%20yes%2C%20but%20I'm%20not%20sure%20exactly%20how%20Exchange%20Online%20and%20Azure%20AD%20are%20talking%20back%20and%20forth%20about%20this%20stuff.%26nbsp%3B%20I%20assume%20the%20response%2Ftoken%20that%20AAD%20gives%20the%20user%20when%20sending%20them%20back%20to%20Exchange%20Online%20(after%20authenticating%20through%20Azure%20AD)%20must%20contain%20info%20that%20tells%20EXO%20what%20grant%20controls%20were%20required%3F%26nbsp%3B%20Or%20does%20Exchange%20Online%20do%20some%20kind%20of%20recurring%20analysis%20of%20AAD%20Conditional%20Access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496860%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3Bno%2C%20EXO%20does%20not%20have%20to%20be%20specified%20as%20a%20cloud%20app%20in%20CA.%20Effectively%2C%20what's%20happening%20is%20that%20EXO%20is%20is%20making%20a%20graph%20API%20call.%20The%20API%20returns%20that%20there%20are%20CA%20policies%20in%20play%20(e.g.%2C%20a%20broad%20policy%20that%20ensures%20MFA%20is%20required)%2C%20which%20triggers%20EXO%20to%20not%20apply%20the%20device%20access%20rules.%26nbsp%3B%20The%20change%20rolling%20out%20in%20August%20ensures%20that%20we%20evaluate%20a%20particular%20claim%20(enfpolids)%20returned%20by%20the%20graph%20API%20and%20only%20skips%20device%20access%20rules%20if%20that%20claim%20is%20non-empty.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498202%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498202%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20explanation.%26nbsp%3B%20Neato.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500148%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500148%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20a%20few%20more%20questions%20regarding%20this%20Windows%2010%20Mail%20app%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EThe%20Windows%2010%20Mail%2FCalendar%20apps%20do%20use%20the%20same%20sync%20technology%20that%20Outlook%20mobile%20leverages.%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3ESo%20it%20is%20not%20ActiveSync%20I%20assume.%3C%2FP%3E%3CP%3E(relevant%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fsecure-email-recommended-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fsecure-email-recommended-policies%3Fview%3Do365-worldwide)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20this%20Windows%2010%20Mail%20app%20is%20using%20modern%20authentication%20or%20not%3F%3C%2FP%3E%3CP%3Eit%20is%20not%20listed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%3C%2FA%3E%3C%2FP%3E%3CP%3E(relevant%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(please%20forgive%20my%20confusion)%3C%2FP%3E%3CP%3E%22%3CSPAN%3EThe%20Require%20device%20to%20be%20marked%20as%20compliant%20can%20be%20used%2C%20though%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3ECompliant%20with%20fully-blown%20Windows%2010%20compliance%20policy%20from%20Intune%2C%20yes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20you%20mean%20this%20compliance%3F%3C%2FP%3E%3CP%3E%22%3CSPAN%3EYou%20can%20manage%20Windows%2010%20devices%20by%20enrolling%20them%20as%20mobile%20devices.%20After%20an%20applicable%20policy%20is%20deployed%2C%20users%20with%20Windows%2010%26nbsp%3Bdevices%20will%20be%20required%20to%20enroll%20in%20Mobile%20Device%20Management%20for%20Microsoft%20365%20Business%20Standard%20the%20first%20time%20they%20use%20the%20built-in%20email%20app%20to%20access%20their%20Microsoft%20365%20email%20(requires%20Azure%20AD%20premium%20subscription).%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fcapabilities-of-built-in-mobile-device-management-for-microsoft-365-a1da44e5-7475-4992-be91-9ccec25905b0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fcapabilities-of-built-in-mobile-device-management-for-microsoft-365-a1da44e5-7475-4992-be91-9ccec25905b0%3C%2FA%3E%3C%2FP%3E%3CP%3E%2B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3144451%2Fa-windows-10-device-is-enrolled-as-mobile-when-you-use-mobile-device-m%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3144451%2Fa-windows-10-device-is-enrolled-as-mobile-when-you-use-mobile-device-m%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500536%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500536%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20Windows%2010%20mail%20does%20not%20use%20ActiveSync%20(for%20EXO%20mailboxes).%20It%20uses%20the%20Microsoft%20sync%20technology.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20the%20Windows%2010%20mail%20app%20supports%20modern%20authentication.%20It's%20considered%20a%20%22Windows%2010%20Modern%20Apps%22%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20the%20%22require%20device%20to%20be%20marked%20as%20compliant%22%20grant%20access%20control%20can%20be%20used%20to%20ensure%20Windows%20devices%20are%20enrolled.%20This%20section%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fidentity-access-policies%3Fview%3Do365-worldwide%23require-compliant-pcs-but-not-compliant-phones-and-tablets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fidentity-access-policies%3Fview%3Do365-worldwide%23require-compliant-pcs-but-not-compliant-phones-and-tablets%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500711%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500711%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHmm%2C%20but%20Microsoft%20Corp.%20knows%20better%20%3Ap%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWindowsMail%20is%20listed%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2Fecp%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2Fecp%2F%3C%2FA%3E%26nbsp%3Bin%20Exchange%20ActiveSync%20Device%20Access%20rules%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adnotacja%202020-07-01%20082509.png%22%20style%3D%22width%3A%20404px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202480i327A16C791C746CF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Adnotacja%202020-07-01%20082509.png%22%20alt%3D%22Adnotacja%202020-07-01%20082509.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Create%20rules%20that%20allow%20Outlook%20on%20Windows%20devices%20for%20%3CU%3EExchange%20ActiveSync%3C%2FU%3E%20connectivity%20(%3CU%3EWindowsMail%20refers%20to%20the%20Mail%20app%20included%20in%20Windows%2010%3C%2FU%3E)%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20looks%20like%20Mail%20app%20is%20%22forgotten%22%20in%20all%20Microsoft%20documentation%2C%20but%26nbsp%3Bfrom%20admin%20point%20of%20view%20it%20is%20%22better%22%20than%20other%20email%20clients%20-%20it%20auto-updates%20without%20admin%20rights%20in%20background.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDefinitely%20Mail%20app%20needs%20some%20love%20from%20you%20guys.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505895%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505895%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20does%20the%20change%20rolling%20out%20Aug%202020%20impact%20the%20native%20iOS%20Mail%20app%20configured%20with%20Exchange%20Activesync%20or%20just%20Outlook%20for%20iOS%20and%20Android%20devices%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EPablo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1506241%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506241%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F720546%22%20target%3D%22_blank%22%3E%40PCH1-IT%3C%2FA%3E%26nbsp%3BThis%20change%20only%20affects%20Outlook%20for%20iOS%20and%20Android.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509321%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3Bis%20this%20change%20only%20applicable%20for%20tenants%20with%20Azure%20AD%20conditional%20access%20policies%20in%20place%3F%20If%20there%20is%20no%20CA%20policy%20in%20place%2C%20there%20will%20be%20no%20impact%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509364%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F722493%22%20target%3D%22_blank%22%3E%40lwood50%3C%2FA%3E%26nbsp%3B-%20yes%20this%20is%20only%20applicable%20if%20CA%20is%20in%20use.%20Note%20that%20Azure%20AD%20security%20defaults%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E)%20like%20MFA%20are%20using%20conditional%20access%20behind%20the%20scenes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521143%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EEarlier%26nbsp%3B%3CSTRONG%3ESend%20to%20OneNote%3C%2FSTRONG%3E%26nbsp%3Bwas%20not%20working%20on%20devices%20with%20%3CSTRONG%3EConditional%20Access%20policy%3C%2FSTRONG%3E%20is%20in%20place.%20Will%20it%20address%20that%20issue%20too%3F%3C%2FP%3E%0A%3CP%3ESimilar%20to%20%3CSTRONG%3EInsert%20Meeting%20Details%3C%2FSTRONG%3E%2C%20%3CSTRONG%3ESend%20to%20OneNote%3C%2FSTRONG%3E%20add-in%20in%20Outlook%20is%20implemented%20as%26nbsp%3B%3CSTRONG%3EOffice%20dialogue%20API%3C%2FSTRONG%3E.%20It%20wasn't%20supported%20with%20Intune%20policies%20on%20Android%20or%20iOS%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521465%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F446547%22%20target%3D%22_blank%22%3E%40Gaurav0327%3C%2FA%3E%26nbsp%3BRandom%20question%20on%20a%20random%20blog%20article%2C%20eh%3F%20%3A)%3C%2Fimg%3E%20Not%20sure%20what%20issue%20you%20are%20referring%20this%2C%20but%20it%20has%20nothing%20to%20do%20with%20this%20change.%20If%20the%20question%20is%20how%20can%20a%20user%20authenticated%20in%20Outlook%20mobile%20to%20use%20the%20Send%20to%20OneNote%20feature.%20Then%20the%20answer%20is%20that%20Send%20to%20OneNote%20in%20Outlook%20mobile%20does%20not%20allow%26nbsp%3B%3CSPAN%3Eusers%20to%20sign%20into%20the%20add-in.%20They%20must%20sign-in%20to%20the%20OneNote%20add-in%20using%20Outlook%20desktop%2C%20Outlook%20for%20Mac%2C%20or%20Outlook%20web%20app%20from%20a%20PC%2FMac.%20This%20is%20a%20design%20choice%20to%20ensure%20that%20work%20or%20school%20account%20data%20cannot%20be%20exfiltrated%20to%20personal%20OneNote%20account%20via%20the%20add-in.%26nbsp%3BAdd-ins%20in%20Outlook%20mobile%20are%20not%20protected%20by%20the%20Intune%20App%20Protection%20Policy%20-%20they%20are%20considered%20unmanaged.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528403%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528403%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20is%20the%20this%20case%20handled%3A%3C%2FP%3E%3CP%3EADD%20Conditional%20Access%3A%20A%20rule%20that%20grant%20%22Approved%20Client%20Apps%22%20in%20Condition%20with%20-%26gt%3B%20Client%20Apps%20-%26gt%3B%20Browser%20(only)%20(User%20can%20just%20access%20with%20Edge%20or%20Intune%20Browser).%20No%20rule%20for%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20AAD%20CA%20rule%20bypass%20the%20Exchange%20CA%20with%20the%20new%20behaviour%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1540642%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1540642%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20I'm%20looking%20into%20our%20CA%20policies%20to%20check%20which%20would%20start%20processing%20the%20device%20access%20rules%20and%20pose%20an%20issue%20(have%20the%20org%20setting%20on%20quarantine)%20Initially%20you%20mention%20that%20the%20CA%20policy%20does%20not%20even%20have%20to%20be%20targeted%20to%20mobile%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20than%20correct%20from%20august%20onward%3C%2FP%3E%3CP%3EIf%20your%20User%20is%20targeted%20in%3CSTRONG%3E%20any%20CA%20policy%3C%2FSTRONG%3E%26nbsp%3Bwhich%20does%20not%20have%20Grant%20access%20controls%20selected%20will%20process%20the%20Device%20access%20rules%20%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EDevice%20access%20rules%20are%20also%20applied%20if%20the%20%3CSTRONG%3Eone%20of%20the%20CA%20policy%3C%2FSTRONG%3E%20is%20set%20to%20Block%20or%20use%20Session%20controls%20%3F%3C%2FP%3E%3CP%3EIs%20the%20webbased%20access%20to%20exchange%20online%26nbsp%3B%20also%20blocked%20if%20a%20device%20is%20quarantined%20or%20only%20the%20outlook%20app%20on%20IOS%20and%20Android%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1548010%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548010%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20very%20nice%20article.%3C%2FP%3E%3CP%3EI%20do%20have%20a%20question.%20I%20have%20a%20CA%20that%20has%20Grant%20Access%20if%20the%20device%20is%20Compliant%20for%20a%20smaller%20subset%20of%20users.%20Does%20this%20satisfy%20the%20requirement%20as%20stated%20above%20for%20all%20of%20our%20users%20(%3CSTRONG%3Ethe%20statement%20above%3A%20%22%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EThe%20good%20news%20is%20that%20if%20you%20are%20utilizing%20one%20(or%20more%20of)%20these%20grant%20access%20controls%2C%20your%20Outlook%20for%20iOS%20and%20Android%20users%20will%20not%20be%20affected.%22%3C%2FSTRONG%3E)%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOr%20does%20that%20only%20satisfy%20the%20CA%20requirements%20the%20users%20within%20that%20particular%20group%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1548027%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F741136%22%20target%3D%22_blank%22%3E%40RayTheil2112%3C%2FA%3E%26nbsp%3B-%20only%20those%20users%20who%20have%20that%20CA%20policy%20will%20now%20have%20Exchange%20device%20access%20rules%20excluded%20for%20Outlook%20mobile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1563724%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1563724%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20idea%20when%20this%20will%20go%20into%20effect%20for%20all%20users%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1563806%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1563806%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F748349%22%20target%3D%22_blank%22%3E%40Gudhery%3C%2FA%3E%26nbsp%3B-%20hard%20to%20say%20as%20we're%20going%20to%20roll%20this%20out%20slowly%20and%20ensure%20there%20are%20no%20issues%20and%20or%20increase%20in%20support%20tickets%20before%20deploying%20broadly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571337%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571337%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20currently%20chasing%20the%20ghost%20of%20Get-MobileDevice%20and%20Get-MobileDeviceStatistics%20%2F%20Get-EXOMobileDeviceStatistics%20for%20the%20exact%20same%20device%20(usually%20Outlook%20for%20iOS)%20showing%20different%20access%20states%20after%20manually%20approving%20said%20device%20out%20of%20quarantine.%26nbsp%3B%20The%20former%20showing%20allowed%20with%20the%20latter%20two%20showing%20quarantined.%26nbsp%3B%20We're%20only%20leveraging%20Exchange%20Online%20Device%20access%20(with%20our%20default%20ActiveSync%20Organization%20Settings%20set%20to%20quarantine).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20this%20change%20might%20help%20prevent%20this%20situation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1601090%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20i%20have%20a%20CA%20policy%20assigned%20to%20the%20user%20with%20%3CSTRONG%3ESession%20control%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EBlock%3C%2FSTRONG%3E%20the%20exchange%20device%20access%20rules%20will%20still%20be%20processed%20%3F%3C%2FP%3E%3CP%3EIt%20seems%20the%20skipping%20is%20only%20done%20on%20specific%20Grant%20Access%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623813%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623813%22%20slang%3D%22en-US%22%3E%3CP%3EAugust%20has%20gone%20and%20I%20still%20don't%20see%20the%20change%20in%20behavior.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1464261%22%20slang%3D%22en-US%22%3EUpcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1464261%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22note%22%3E%3CSTRONG%3EUpdate%3A%26nbsp%3B%3C%2FSTRONG%3Ethe%20change%20mentioned%20in%20this%20article%20did%20%3CEM%3Enot%3C%2FEM%3E%20roll%20out%20in%20August%202020%20as%20planned%3B%20the%20update%20will%20occur%20later%20in%20Q4%20calendar%20year%202020.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20you%20may%20rely%20on%20Exchange%20Online%20mobile%20device%20access%20rules%20to%20ensure%20that%20only%20approved%20devices%20(or%20apps)%20access%20your%20messaging%20data.%20By%20default%2C%20an%20Exchange%20Online%20tenant%20allows%20access%20for%20all%20mobile%20devices.%20Admins%20can%20change%20this%20behavior%20to%20either%20block%20or%20quarantine%20devices%20with%20the%20following%20cmdlet%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESet-ActiveSyncOrganizationSettings%20-DefaultAccessLevel%20%3CALLOW%3E%3C%2FALLOW%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExchange%20mobile%20device%20access%20rules%20can%20even%20be%20used%20to%20manage%20Outlook%20for%20iOS%20and%20Android%3B%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E%3CSPAN%3E%20for%20examples.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ELikewise%2C%20many%20of%20you%20have%20moved%20away%20from%20leveraging%20Exchange%20mobile%20device%20access%20rules%20and%20moved%20to%20a%20more%20comprehensive%20solution%20%E2%80%93%20Azure%20AD%20Conditional%20Access%20policies.%3C%2FP%3E%0A%3CP%3EWhat%20you%20may%20not%20know%20is%20the%20interaction%20between%20Exchange%E2%80%99s%20mobile%20device%20access%20rules%20and%20Azure%20Active%20Directory%20Conditional%20Access%20policies%20when%20using%20Outlook%20for%20iOS%20and%20Android.%20This%20article%20describes%20how%20these%20policies%20work%20today%20and%20what%20is%20changing%20in%20August%202020.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId-1163611025%22%3ECurrent%20behavior%3C%2FH2%3E%0A%3CP%3EToday%2C%20if%20you%20configure%20%3CU%3Eany%3C%2FU%3E%20conditional%20access%20policy%20(regardless%20of%20its%20applicability%20to%20mobile%20devices)%2C%20Exchange%20Online%20will%20skip%20mobile%20device%20access%20rules%E2%80%99%20processing%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20let%E2%80%99s%20say%20in%20your%20tenant%20you%20have%20no%20conditional%20access%20policies%20targeting%20iOS%20or%20Android%20devices%2C%20but%20you%20have%20a%20policy%20that%20ensures%20Windows%20devices%20are%20managed.%20This%20conditional%20access%20policy%20targets%20the%20Windows%20platform%20and%20leverages%20the%20following%20grant%20access%20controls%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CAChanges01.jpg%22%20style%3D%22width%3A%20368px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198918i653DC0EBF715E327%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22CAChanges01.jpg%22%20alt%3D%22CAChanges01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWith%20this%20configuration%2C%20you%20may%20expect%20that%20Outlook%20for%20iOS%20and%20Android%20would%20be%20subject%20to%20Exchange%E2%80%99s%20mobile%20device%20access%20policies%20because%20there%20are%20no%20conditional%20access%20policies%20in%20play%20for%20iOS%20and%20Android%20devices.%20However%2C%20that%E2%80%99s%20not%20the%20case.%20When%20Outlook%20for%20iOS%20and%20Android%20connects%20to%20Exchange%20Online%2C%20Exchange%20Online%20executes%20a%20Graph%20API%20call%20to%20Azure%20AD%20and%20determines%20that%20there%20are%20conditional%20access%20policies%20associated%20with%20the%20user%20and%20skips%20the%20processing%20of%20the%20Exchange%20device%20access%20policies.%20You%20can%20see%20this%20by%20querying%20the%20device%20in%20Get-MobileDeviceStatistics%20as%20the%20DeviceAccessStateReason%20is%20set%20to%20ExternallyManaged%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EGet-MobileDeviceStatistics%20-mailbox%20Natasha%20%7C%20where%20%7B%24_.DeviceModel%20-eq%20%22Outlook%20for%20iOS%20and%20Android%22%7D%20%7C%20fl%20LastSuc*%2CDeviceAccess*%0ALastSuccessSync%20%20%20%20%20%20%20%20%20%3A%206%2F9%2F2020%2010%3A35%3A13%20PM%0ADeviceAccessState%20%20%20%20%20%20%20%3A%20Allowed%0ADeviceAccessStateReason%20%3A%20ExternallyManaged%0ADeviceAccessControlRule%20%3A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%3EFuture%20behavior%3C%2FH2%3E%0A%3CP%3EObviously%2C%20that%20is%20not%20the%20desired%20behavior.%20Beginning%20in%20August%202020%2C%20we%20are%20rolling%20out%20changes%20in%20Exchange%20Online%20to%20ensure%20that%20only%20certain%20Conditional%20Access%20policies%20bypass%20Exchange%E2%80%99s%20mobile%20device%20access%20rules%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%20Specifically%2C%20only%20Conditional%20Access%20policies%20configured%20with%20the%20following%20grant%20access%20controls%20will%20prevent%20Exchange%20mobile%20device%20access%20rules%20being%20applied%20to%20Outlook%20for%20iOS%20and%20Android%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERequire%20device%20to%20be%20marked%20as%20compliant%3C%2FLI%3E%0A%3CLI%3ERequire%20approved%20client%20app%3C%2FLI%3E%0A%3CLI%3ERequire%20app%20protection%20policy%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20more%20information%20on%20these%20grant%20access%20controls%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%3A%20Grant%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EThe%20good%20news%20is%20that%20if%20you%20are%20utilizing%20one%20(or%20more%20of)%20these%20grant%20access%20controls%2C%20your%20Outlook%20for%20iOS%20and%20Android%20users%20will%20not%20be%20affected.%3C%2FP%3E%0A%3CP%3EHowever%2C%20if%20you%20are%20utilizing%20Conditional%20Access%20policies%20that%20do%20not%20leverage%20the%20above%20grant%20access%20controls%20and%20have%20configured%20the%20mobile%20device%20access%20level%20within%20Exchange%20Online%20to%20block%20or%20quarantine%20devices%2C%20users%20using%20Outlook%20for%20iOS%20and%20Android%20will%20be%20blocked%20or%20quarantined%20by%20Exchange%20Online%20after%20this%20change%20is%20implemented.%20By%20default%2C%20the%20mobile%20device%20access%20level%20in%20Exchange%20Online%20is%20set%20to%20allow.%20You%20have%20a%20few%20different%20options%20on%20how%20you%20can%20remediate%20this%20prior%20to%20the%20change%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EImplement%20Microsoft%20Endpoint%20Manager%20and%20one%20of%20the%20above%20grant%20access%20controls.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-enterprise-mobility--security-suite-to-protect-corporate-data-with-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELeveraging%20Enterprise%20Mobility%20%2B%20Security%20suite%20to%20protect%20corporate%20data%20with%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3ECreate%20an%20Exchange%20Online%20device%20access%20rule%20that%20allows%20Outlook%20for%20iOS%20and%20Android.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EManually%20add%20the%20user%E2%80%99s%20Outlook%20for%20iOS%20and%20Android%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property.%20To%20obtain%20the%20Device%20ID%2C%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fget-mobiledevicestatistics%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGet-MobileDeviceStatistics%3C%2FA%3E.%20To%20add%20the%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fset-casmailbox%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-CASMailbox%3C%2FA%3E.%20An%20example%20script%20is%20provided%20that%20can%20be%20modified%20to%20automate%20this%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%24mbxs%20%3D%20Get-CASMailbox%20-Filter%20%7B%20HasActiveSyncDevicePartnership%20-eq%20%24true%20%7D%20-ResultSize%2010000%0Aforeach(%24mbx%20in%20%24mbxs)%0A%7B%0A%24IDList%20%3D%20Get-EXOMobileDeviceStatistics%20-Mailbox%20%24mbx.id%20%7C%20where%20%7B%24_.LastSuccessSync%20-ge%20%222020-06-01%22%20-and%20%24_.DeviceModel%20-eq%20%22Outlook%20for%20iOS%20and%20Android%22%7D%0AIf(!%24IDList)%20%7B%20continue%20%7D%0Aforeach(%24ID%20in%20%24IDList)%20%7B%24mbx.ActiveSyncAllowedDeviceIDs%20%2B%3D%20%24ID.DeviceID%7D%0ASet-CasMailbox%20%24mbx.Id%20-ActiveSyncAllowedDeviceIDs%20%24mbx.ActiveSyncAllowedDeviceIDs%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EChange%20the%20default%20access%20level%20to%20Allow.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fset-activesyncorganizationsettings%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-ActiveSyncOrganizationSettings%3C%2FA%3E.%20This%20change%20allows%20all%20mobile%20devices%2C%20regardless%20of%20type%2C%20to%20connect.%3C%2FLI%3E%0A%3CLI%3EAlternatively%2C%20organizations%20can%20retain%20their%20default%20mobile%20device%20access%20level%20and%20wait%20for%20this%20change%20to%20take%20place%20and%20manually%20allow%20each%20device%20as%20they%20are%20quarantined%2Fblocked.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22note%22%3E%3CSTRONG%3EImportant%3C%2FSTRONG%3E%3A%20Because%20Outlook%20for%20iOS%20and%20Android%E2%80%99s%20device%20IDs%20are%20not%20governed%20by%20any%20physical%20device%20ID%2C%20the%20ID%20can%20change%20without%20notice.%20When%20this%20happens%2C%20it%20can%20cause%20unintended%20consequences%20when%20device%20IDs%20are%20used%20for%20managing%20user%20devices%2C%20as%20existing%20'allowed'%20devices%20may%20be%20unexpectedly%20blocked%20or%20quarantined%20by%20Exchange.%20Therefore%2C%20we%20recommend%20administrators%20only%20set%20mobile%20device%20access%20policies%20for%20Outlook%20for%20iOS%20and%20Android%20that%20allow%2Fblock%20devices%20based%20on%20device%20type%20or%20device%20model.%3C%2FP%3E%0A%3CP%3EWe%20believe%20the%20changes%20we%E2%80%99re%20implementing%20are%20the%20right%20approach%20for%20improving%20the%20overall%20security%20for%20Outlook%20for%20iOS%20and%20Android%20devices%20by%20only%20skipping%20Exchange%20mobile%20device%20access%20rules%20when%20the%20device%20is%20managed%20by%20Intune.%20If%20you%20have%20any%20questions%2C%20please%20let%20us%20know.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3ERoss%20Smith%20IV%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1464261%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20of%20you%20may%20rely%20on%20Exchange%20Online%20mobile%20device%20access%20rules%20to%20ensure%20that%20only%20approved%20devices%20(or%20apps)%20access%20your%20messaging%20data.%20We%20wanted%20to%20mention%20some%20upcoming%20changes.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1464261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1857248%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1857248%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EIf%20I%20have%20the%20following%20output%20of%20the%20command%20Get-MobileDeviceStatistics%20%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EDeviceAccessState%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20Quarantined%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDeviceAccessStateReason%26nbsp%3B%3A%26nbsp%3BAadBlockDueToAccessPolicy%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20can%20I%20retrieve%20the%20ID%20of%20the%20CA%20policy%20that%20is%20blocking%20the%20device%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKind%20regards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKostadin%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1876056%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1876056%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20this%20change%20ever%20happen%3F%20I%20still%20see%20the%20old%20behaviour.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1876503%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1876503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F777322%22%20target%3D%22_blank%22%3E%40davudullu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20spotted%20that%20just%20after%20posting%20this%20comment.%20I%20suspect%20there%20are%20a%20lot%20of%20organisations%20out%20there%20completely%20oblivious%20that%20this%20is%20happening.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20may%20utilise%20the%20-OutlookMobileEnabled%20flag%20on%20Set-CASMailbox%20(e.g.%20Set-CASMailbox%20username%20-OutlookMobileEnabled%20%24False).%20It's%20a%20shame%20this%20can't%20be%20enabled%20globally%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1876384%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1876384%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425593%22%20target%3D%22_blank%22%3E%40JordanMalcolmUK%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20top%20of%20page%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EUpdate%3A%26nbsp%3B%3C%2FSTRONG%3Ethe%20change%20mentioned%20in%20this%20article%20did%20%3CEM%3Enot%3C%2FEM%3E%20roll%20out%20in%20August%202020%20as%20planned%3B%20the%20update%20will%20occur%20later%20in%20Q4%20calendar%20year%202020.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20didn't%20occur%26nbsp%3B%20yet.%20I%20really%20don't%20understand%20Microsoft.%20This%20is%20a%20critical%20security%20bug%20that%20has%20been%20unfixed%20for%20over%20a%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20workaround%20is%20we%20have%20a%20Powershell%20script%20which%20wipes%20any%20Outlook%20Mobile%20device%20for%20users%20that%20arent%20allowed%20to%20have%20them%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113902%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113902%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20see%20that%20change%20happened%20last%20night%20for%20me.%20My%20fault%20for%20not%20reviewing%20the%20message%20center.%3C%2FP%3E%3CP%3EWe%20had%20a%20process%20in%20place%20to%20quarantine%20device%20and%20allow%20them%20one%20by%20one%20(we%20needed%20each%20employee%20to%20agree%20to%20a%20hipaa%20form%20before%20allowing%20the%20mail%20apps%20to%20sync).%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20no%20longer%20possible%3F%20I%20see%20rules%20to%20allow%20Outlook%20for%20iOS%20and%20Android%20all%20together%20but%20not%20for%20each%20phone%2Fuser%3F%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20if%20I%20try%20to%20allow%20an%20outlook%20app%20now%20it%20goes%20right%20back%20to%20quarantine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113927%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113927%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115275%22%20target%3D%22_blank%22%3E%40Carlos%20Cordeiro%3C%2FA%3E%26nbsp%3B%3CSPAN%3EI%20have%20no%20idea%20what%20process%20you%20were%20using%20to%20get%20a%20user%20to%20agree%20to%20a%20HIPAA%20form%20before%20sync%2C%20so%20can't%20comment%20on%20that.%20As%20the%20article%20indicates%20you%20can%20allow%20on%20a%20per-device%20capability%2C%20however%20as%20the%20Outlook%20app%20uses%20a%20virtual%20device%20ID%2C%20the%20ID%20can%20change%20for%20a%20variety%20of%20reasons%20(e.g.%2C%20user%20uninstalls%20and%20reinstalls%20the%20app)%20which%20will%20quarantine%20the%20app%20again.%20While%20supported%2C%20it's%20not%20the%20recommended%20path.%20If%20you%20need%20advance%20management%20capability%2C%20we%20recommend%20Intune.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113966%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113966%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20disappointed%20with%20the%20way%20this%20was%20rolled%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20checked%20our%20CA%20rules%20leading%20up%20to%20this%20change%20and%20all%20were%20compliant%20so%20we%20should%20have%20had%20no%20impact.%20That%20being%20said%2C%20we%20were%20part%20of%20the%20first%20group%2C%20had%20to%20mitigate%20with%20the%20script%20to%20add%20devices%20back%20to%20our%20allowactivesyncdeviceIDS%20which%20was%20somewhat%20acceptable%20but%20then%20with%20each%20subsequent%20roll%20out%20to%20the%20remaining%20waves%2C%20had%20to%20do%20so%20again%20causing%20us%20three%20outages.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20was%20it%20not%20just%20rolled%20out%20to%20the%20new%20waves%20and%20not%20the%20tenants%20that%20already%20had%20it%20introduced%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20we%20see%20any%20more%20updates%20that%20will%20wipe%20out%20our%20allow%20lists%20again%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114407%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114407%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%20to%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunfortunately%20the%20underlying%20issues%20that%20have%20been%20introduced%20due%20to%20this%20%22bug%22%20in%20Conditional%20Access%20are%20not%20addressed%26nbsp%3B%3CU%3Eat%20all%3C%2FU%3E%20by%20the%20changes%20that%20Microsoft%20has%20been%20rolling%20out.%26nbsp%3B%20I%20may%20have%20missed%20it%20-%20but%20what%20I%20am%20not%20seeing%20in%20Microsoft's%20communication%20on%20this%20topic%20is%20that%2C%20specifically%20for%20ActiveSync-based%20mailbox%20access%2C%20Exchange%20Online%20was%20not%20just%20%22ignoring%22%20or%20%22bypassing%22%20any%20configured%20restrictions%20such%20as%20ActiveSync%20quarantine!%26nbsp%3B%20Instead%2C%20unauthorized%20ActiveSync%20clients%20were%20actively%20being%26nbsp%3B%3CEM%3Eauthorized%3C%2FEM%3E.%26nbsp%3B%20And%20they%20therefore%20still%20are!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOrganizations%20that%20were%20using%20ActiveSync%20quarantining%20will%20be%20able%20to%20see%20that%20the%20Mobile%20Device%20Status%20for%26nbsp%3B%3CSTRONG%3Eany%3C%2FSTRONG%3E%20instance%20of%20%22Outlook%20mobile%22%20that%20was%20used%20during%20the%20period%20that%20this%20%22bug%22%20in%20Conditional%20Access%20has%20existed%20was%20automatically%20changed%20from%20%22Quarantined%22%20to%20%22Access%20granted%22.%26nbsp%3B%20Those%20entries%20still%20exist%20today%20-%20and%20they%20will%20continue%20to%20be%20valid%20until%20removed!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20take%20into%20consideration%20that%20the%20%22device%20id%22%20for%20an%20instance%20of%20the%20Outlook%20mobile%20app%20may%20change%20when%20the%20app%20is%20upgraded%2C%20that%20also%20means%20that%20when%20the%20app%20is%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20upgraded%20the%20%22device%20id%22%20stays%20the%20same%20-%20and%20therefore%20the%20%22Access%20granted%22%20status%20for%20that%20%22device%20id%22%20continues%20to%20be%20valid...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20with%20pushing%20out%20these%20changes%20Microsoft%20is%20only%20preventing%20that%20MORE%20unauthorized%20instances%20of%20Outlook%20mobile%20get%20added%20to%20your%20tenants%20-%20but%20they%20are%20not%20cleaning%20up%20the%20mess%20they%20created%20in%20the%20first%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20have%20put%20that%20word%20%E2%80%9Cbug%E2%80%9D%20between%20quotes%20because%20I%20do%20not%20believe%20this%20was%20a%20mistake.%26nbsp%3B%20The%20timing%20%2F%20period%20over%20which%20this%20has%20happened%20and%20some%20of%20the%20other%20things%20Microsoft%20has%20done%20make%20me%20think%20that%20this%20was%20all%20part%20of%20a%20deliberate%20campaign%20to%20boost%20usage%20and%20acceptance%20of%20the%20Outlook%20for%20mobile%20app.%26nbsp%3B%20Maybe%20it%20is%20just%20me%20being%20cynical.%26nbsp%3B%20But%20this%20issue%20has%20been%20in%20place%20since%20at%20least%20December%202019%20and%20it%20nicely%20overlaps%20with%20campaigns%20Microsoft%20has%20been%20running%20to%20promote%20the%20use%20of%20Outlook%20for%20mobile.%26nbsp%3B%20Remember%20the%20unsolicited%20banners%20that%20showed%20up%20in%20Outlook%20on%20the%20desktop%20last%20spring%3F%26nbsp%3B%20That's%20just%20one%20example.%26nbsp%3B%20The%20fact%20that%20Outlook%20mobile%20uses%20it's%20own%20%22device%20id%22%3F%26nbsp%3B%20That's%20crazy.%26nbsp%3B%20It's%20an%20app%20-%20not%20a%20device.%26nbsp%3B%20These%20are%20choices.%26nbsp%3B%20Bad%20choices.%26nbsp%3B%20One%20could%20argue%20these%20choices%20were%20made%20deliberately%20in%20an%20attempt%20to%20circumvent%20the%20capabilities%20of%20non-Microsoft%20MDM%20solutions%20like%20AirWatch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114556%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F648130%22%20target%3D%22_blank%22%3E%40Brentchy808%3C%2FA%3E%26nbsp%3BI%20suspect%20your%20issue%20was%20related%20to%20an%20issue%20we%20discovered%20during%20the%20rollout%20by%20including%20certain%20tenants.%20Now%20that%20we%20are%20at%20100%25%20rollout%2C%20there%20won't%20be%20any%20further%20changes%20to%20this%20functionality.%20With%20that%20said%2C%20as%20I%20wrote%20in%20the%20article%20(and%20as%20documented%20in%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsecureom%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fsecureom%3C%2FA%3E)%2C%20we%20do%20not%20recommend%20managing%20Outlook%20mobile%20connectivity%20through%20device%20ID%2C%20as%20the%20device%20ID%20can%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114577%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114577%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F81509%22%20target%3D%22_blank%22%3E%40Martijn%20Tigchelaar%3C%2FA%3E%26nbsp%3BLet%20me%20clear%20up%20some%20misconceptions.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOutlook%20mobile%20does%20not%20utilize%20the%20Exchange%20ActiveSync%20protocol.%20It%20uses%20the%20Microsoft%20sync%20technology%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android%3C%2FA%3E).%20The%20change%20in%20this%20article%20is%20specific%20to%20Outlook%20mobile%20and%20does%20not%20affect%20mobile%20clients%20utilizing%20the%20ActiveSync%20protocol.%3C%2FLI%3E%0A%3CLI%3EWith%20the%20change%20highlighted%20in%20this%20article%2C%20if%20an%20Outlook%20mobile%20was%20previously%20allowed%20to%20connect%20by%20an%20incorrect%20Conditional%20Access%20policy%2C%20with%20this%20change%2C%20that%20same%20Outlook%20mobile%20client%20would%20be%20blocked%20by%20the%20Exchange%20Online%20mobile%20device%20access%20policy%20(if%20set%20to%20quarantine%2Fblock)%20and%20that%20device%20ID%20was%20not%20already%20defined%20in%20the%20user's%20ActiveSyncAllowedDeviceIDs.%3C%2FLI%3E%0A%3CLI%3EThe%20reason%20that%20Outlook%20mobile%20utilizes%20a%20virtual%20device%20ID%20is%20because%20apps%20are%20prevented%20by%20the%20OS%20platform%20from%20accessing%20certain%20physical%20device%20parameters%20that%20would%20make%20obvious%20ID%20choices.%20As%20a%20result%2C%20the%20app%20has%20to%20generate%20its%20own%20device%20ID.%20For%20example%2C%20since%20iOS7%2C%20certain%20hardware%20information%20is%20restricted%20from%20third-party%20apps%20(e.g.%2C%20%3CA%20href%3D%22https%3A%2F%2Fcode.i-harness.com%2Fen%2Fq%2F2f29e%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcode.i-harness.com%2Fen%2Fq%2F2f29e%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fforums.developer.apple.com%2Fthread%2F7560)%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fforums.developer.apple.com%2Fthread%2F7560)%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114624%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114624%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3Bwell...%20If%20Outlook%20mobile%20does%20not%20use%20Exchange%20ActiveSync%20then%20you%20should%20have%20introduced%20different%20terminology%20and%20not%20refer%20to%20the%20%22Set-ActiveSyncOrganizationSettings%22%20commandlet%20in%20this%20original%20post.%3CBR%20%2F%3E%3CBR%20%2F%3EAllow%20me%20to%20share%20what%20we%20are%20seeing.%26nbsp%3B%20Outlook%20mobile%20may%20not%20be%20using%20ActiveSync%2C%20but%20it%20sure%20looks%20and%20smells%20the%20same%20in%20the%20portal.%26nbsp%3B%20This%20is%20from%20just%20one%20of%20our%20many%20users%20%2F%20mailboxes%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Mobile%20Devices.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F252481i0966B921B9F3EE2B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Mobile%20Devices.png%22%20alt%3D%22Mobile%20Devices.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20first%20entry%20with%20a%20status%20of%20%22Access%20granted%22%20is%20dated%20January%2018%20and%20shows%20%22Access%20set%20by%26nbsp%3BExternal%20Mobile%20Device%20Management%22%20(recognize%20that%3F)%26nbsp%3B%20The%20second%20entry%20with%20status%20%22Quarantined%22%20is%20from%20February%203%20and%20shows%20%22Access%20set%20by%20Global%20Permissions%22.%26nbsp%3B%20Both%20of%20these%20entries%20also%20show%20%22ActiveSync%20version%201.0%22...%26nbsp%3B%20So%20if%20Outlook%20mobile%20does%20not%20use%20ActiveSync%20-%20then%20what%20is%20it%20that%20we%20are%20looking%20at%20here%3F%26nbsp%3B%20Yet%20another%20platform%20bug%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEither%20way%20-%20that%20%22Access%20granted%22%20entry%20from%20January%2018%20was%20not%20approved%20by%20our%203rd-party%20MDM%20solution%20-%20nor%20was%20it%20manually%20approved%2C%20nor%20is%20there%20any%20log%20entries%20we%20can%20find%20that%20explain%20this.%26nbsp%3B%20The%20second%20entry%20showing%20%22quarantined%22%20only%20came%20to%20exist%20because%20the%20user%20upgraded%20the%20Outlook%20mobile%20app.%26nbsp%3B%20This%20second%20entry%20is%20actually%20how%20things%20should%20have%20been%20all%20along.%26nbsp%3B%20But%20as%20you%20can%20see%20-%20the%20old%20entry%20is%20still%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20-%20if%20Outlook%20mobile%20does%20not%20use%20ActiveSync%20then%20I%20think%20the%20introduction%20of%20new%20terminology%20is%20long%20overdue.%26nbsp%3B%20Until%20then%2C%20I%20will%20continue%20to%20use%20the%20same%20terminology%20because%20that%20sure%20appears%20to%20be%20what%20the%20platform%20is%20actually%20using.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114653%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114653%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F81509%22%20target%3D%22_blank%22%3E%40Martijn%20Tigchelaar%3C%2FA%3E%26nbsp%3Byes%2C%20some%20of%20the%20cmdlets%20naming%20conventions%20were%20not%20updated%2C%20some%20where%20(e.g.%2C%20*-ActiveSyncMailboxPolicy%20was%20replaced%20with%20*-MobileDeviceMailboxPolicy).%20I%20can't%20answer%20why%20the%20*-ActiveSyncOrganizationSettings%20wasn't%20rebranded%2C%20but%20the%20cmdlet%20(like%20those%20mailbox%20policy%20cmdlets)%20support%20other%20protocols%20than%20ActiveSync.%20Perhaps%20it%20will%20be%20renamed%20in%20the%20future.%20Regardless%2C%20Outlook%20mobile%20does%20not%20use%20ActiveSync%20as%20connectivity%20protocol.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114718%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3Bwhether%20or%20not%20Outlook%20mobile%20uses%20the%20Exchange%20ActiveSync%20protocol%20did%20become%20irrelevant%20when%20you%20continued%20to%20use%20the%20term%20%22ActiveSync%22%20all%20over%20the%20place.%26nbsp%3B%20At%20least%20when%20using%20the%20terms%20%22activesync%22%20and%20%22quarantine%22%20most%20people%20who%20have%20been%20around%20for%20a%20while%20will%20know%20where%20to%20look%20in%20their%20environments.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20point%20I%20was%20making%20is%20that%20this%20statement%20from%20the%20original%20posting%20above%20does%20appear%20to%20be%20%3CEM%3Eincorrect%3C%2FEM%3E%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EToday%2C%20if%20you%20configure%26nbsp%3B%3CU%3Eany%3C%2FU%3E%26nbsp%3Bconditional%20access%20policy%20(regardless%20of%20its%20applicability%20to%20mobile%20devices)%2C%20Exchange%20Online%20will%20skip%20mobile%20device%20access%20rules%E2%80%99%20processing%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EIt%20appears%20to%20be%20the%20case%20that%20Exchange%20Online%20did%20not%20just%20%22skip%22%20the%20processing%20of%20any%20mobile%20device%20access%20rules.%26nbsp%3B%20Instead%2C%20the%20mobile%20device%20access%20was%20actually%20permanently%20approved.%26nbsp%3B%20A%20new%20entry%20was%20%3CEM%3Eadded%3C%2FEM%3E%20to%20the%20list%20of%20devices%20%2F%20apps%20to%20explicitly%20and%20permanently%20grant%20access%20to%20the%20device%20ID%20in%20question%20for%20the%20particular%20Outlook%20mobile%20instance.%26nbsp%3B%20Those%20entries%20still%20exist%20today%20and%20will%20continue%20to%20exist%20until%20cleaned%20up.%26nbsp%3B%20And%20that%20means%20that%20any%20Outlook%20mobile%20instance%20that%20was%20granted%20access%20due%20to%20this%20mishap%2C%20will%20continue%20to%20have%20access%20until%20either%20the%20app%20is%20upgraded%20or%20the%20explicitly%20granted%20access%20is%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20makes%20me%20wonder%20about%20this%20part%20of%20your%20response%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EWith%20the%20change%20highlighted%20in%20this%20article%2C%20if%20an%20Outlook%20mobile%20was%20previously%20allowed%20to%20connect%20by%20an%20incorrect%20Conditional%20Access%20policy%2C%20with%20this%20change%2C%20that%20same%20Outlook%20mobile%20client%20would%20be%20blocked%20by%20the%20Exchange%20Online%20mobile%20device%20access%20policy%20(if%20set%20to%20quarantine%2Fblock)%20and%20that%20device%20ID%20was%20not%20already%20defined%20in%20the%20user's%20ActiveSyncAllowedDeviceIDs.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EYou%20appear%20fairly%20certain%20that%20what%20we%20are%20seeing%20in%20our%20environment%20did%20not%20actually%20happen%20-%20or%20has%20nothing%20to%20do%20with%20the%20CA%20issue%20that%20has%20been%20resolved.%26nbsp%3B%20But%20we%20have%20plenty%20of%20reason%20to%20believe%20that%20it%20did.%26nbsp%3B%20One%20clear%20indicator%20is%20that%20over%20the%20past%202%20days%2C%20after%20a%20new%20version%20of%20the%20Outlook%20mobile%20app%20was%20released%20on%20February%202%2C%20we%20suddenly%20have%20hundreds%20of%20users%20reporting%20that%20their%20(unauthorized)%20Outlook%20mobile%20app%20has%20stopped%20working.%26nbsp%3B%20I%20am%20pretty%20certain%20that%20their%20Outlook%20mobile%20app%20has%20stopped%20working%20because%20of%20the%20%3CEM%3Ecombination%20%3C%2FEM%3Eof%20the%20following%20two%20things%3A%3C%2FP%3E%3COL%3E%3CLI%3EThe%20issue%20in%20Conditional%20Access%20has%20been%20resolved%2C%20and%20access%20using%20any%20version%20or%20instance%20of%20Outlook%20mobile%20is%20no%20longer%20automatically%20granted%20(but%20existing%20access%20that%20was%20added%20due%20to%20the%20CA%20issue%20was%20still%20valid)%3C%2FLI%3E%3CLI%3EThe%20Outlook%20mobile%20app%20was%20upgraded%20-%20and%20uses%20a%20new%20device%20id%2C%20making%20any%20access%20that%20was%20previously%20granted%20due%20to%20the%20CA%20issue%2C%20invalid.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThe%20information%20provided%20by%20Microsoft%2C%20combined%20with%20what%20we%20are%20actually%20seeing%20%22in%20the%20field%22%20appear%20to%20indicate%20that%20you%20are%20wrong.%26nbsp%3B%20There%20is%20more%20to%20the%20story%20than%20what%20you%20are%20revealing.%26nbsp%3B%20The%20fix%20that%20has%20been%20deployed%20may%20have%20put%20out%20the%20fire%20-%20but%20the%20customer%20environments%20still%20need%20urgent%20cleanup%20because%20there%20is%20no%20guarantee%20that%20all%20users%20of%20Outlook%20mobile%20will%20upgrade%20their%20app%20instance%20-%20and%20that%20in%20turn%20will%20mean%20that%20they%20will%20continue%20to%20have%20unauthorized%20access%26nbsp%3Bbecause%20your%20bug%20in%20Conditional%20Access%20granted%20it%20in%20the%20first%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114749%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114749%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20hurting%20us%20right%20now.%20As%20far%20as%20i%20can%20tell%20our%20options%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Use%20InTune.%20Which%20sounds%20nice%2C%20but%20we%20are%20heavily%20invested%20into%20Airwatch%20at%20the%20moment.%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Setup%20Allow%20rule%20for%20all%20Outlook%20IOS%2FAndroid%20to%20bypass%20quarantine.%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Manually%20add%20device%20IDs%20to%20user%20accounts%20every%20time%20this%20changes.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20need%20a%20better%20solution.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114825%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114825%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3Byou%20have%20the%20solution.%26nbsp%3B%20AirWatch.%26nbsp%3B%20The%20fact%20that%20you%20have%20AirWatch%20in%20the%20first%20place%20probably%20means%20that%20your%20users%20should%20not%20be%20using%20Outlook%20mobile.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114829%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20reply.%26nbsp%3B%3CBR%20%2F%3EIts%20hard%20for%20us%20to%20buy%20Intune%20as%20we%20are%20nonprofit%20with%201200%20users.%20And%20its%20also%20hard%20for%20us%20to%20keep%20approving%20Outlook%20ActiveSync%20requests%20over%20and%20over.%20Its%20also%20not%20an%20option%20for%20us%20to%20just%20auto%20approve%20Outlook%20app%20for%20HIPAA%20reasons.%20We%20are%20kind%20of%20stuck.%20I%20guess%20we%20will%20need%20to%20figure%20out%20another%20option.%20I%20am%20curious%20to%20see%20what%20other%20organizations%20are%20doing%20with%20this%20change.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114837%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114837%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F81509%22%20target%3D%22_blank%22%3E%40Martijn%20Tigchelaar%3C%2FA%3E%26nbsp%3BThere's%20no%20conspiracy%20or%20nefarious%20subterfuge%20going%20on%20here.%20If%20CA%20approves%20the%20connection%2C%20then%20Exchange%20mobile%20device%20access%20processing%20is%20skipped%20and%20the%20device%20is%20marked%20with%20the%20following%20access%20state%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDeviceAccessState%20%3A%20Allowed%3CBR%20%2F%3EDeviceAccessStateReason%20%3A%20ExternallyManaged%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20change%20implemented%20in%20this%20article%2C%20those%20devices%20that%20were%20once%20considered%20externally%20managed%20are%20no%20longer%20such%20and%20now%20have%20Exchange%20mobile%20device%20access%20processing%20applied.%20That's%20why%20the%20devices%20get%20blocked%2Fquarantine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20app%20update%20did%20not%20change%20the%20device%20ID.%20What%20happened%20on%20February%202nd%20was%20that%20we%20increased%20the%20rollout%20to%20100%25.%20Your%20tenant%20had%20this%20policy%20change%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114848%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114848%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20other%20question.%20Do%20you%20require%20Azure%20AD%20Premium%20for%20those%20Conditional%20Access%20Policies%20to%20be%20setup%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114860%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115275%22%20target%3D%22_blank%22%3E%40Carlos%20Cordeiro%3C%2FA%3E%26nbsp%3BYes%2C%20there%20are%20licensing%20requirements%20to%20utilize%20Conditional%20Access%20policies%20(P1%2FP2)%20%2B%20Intune%20to%20use%20those%20grant%20access%20controls.%20The%20best%20advice%20I%20can%20relay%20is%20to%20use%20the%20script%20to%20mass%20unlock%20those%20that%20were%20quarantined%20and%20then%20monitor%20if%20folks%20get%20quarantined%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114862%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114862%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3B-%20If%20you%20are%20licensed%20for%20Intune%2C%20you%20could%20use%20the%20%22require%20device%20to%20be%20marked%20as%20compliant%22%20grant%20access%20control%20with%20your%20devices%20enrolled%20in%20Workspace%20One%20(Airwatch).%20Take%20a%20look%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fdevice-compliance-partners%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDevice%20compliance%20partners%20in%20Microsoft%20Intune%20-%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2223544%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2223544%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20script%20actually%20works%20to%20add%20ActiveSync%20device%20IDs%20correctly%20for%20anyone%20who%20went%20with%20option%20%233%20in%20this%20article%20and%20was%20impacted.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Manually%20add%20the%20user%E2%80%99s%20Outlook%20for%20iOS%20and%20Android%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property.%20To%20obtain%20the%20Device%20ID%2C%20use%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fget-mobiledevicestatistics%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGet-MobileDeviceStatistics%3C%2FA%3E.%20To%20add%20the%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property%2C%20see%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fset-casmailbox%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESet-CASMailbox%3C%2FA%3E.%20An%20example%20script%20is%20provided%20that%20can%20be%20modified%20to%20automate%20this%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24mbxids%20%3D%40()%3CBR%20%2F%3E%24mbxs%20%3D%20Get-CASMailbox%20-Filter%20%7B%20HasActiveSyncDevicePartnership%20-eq%20%24true%20%7D%20-ResultSize%2010000%3CBR%20%2F%3Eforeach(%24mbx%20in%20%24mbxs)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24mbxids%20%3D%20%40()%3CBR%20%2F%3E%24IDList%20%3D%20Get-MobileDeviceStatistics%20-Mailbox%20%24mbx.id%3CBR%20%2F%3E%24allowedcomps%20%3D%20Compare%20%24idlist.deviceid%20%24mbx.ActiveSyncAllowedDeviceIDs%3CBR%20%2F%3E%24blockedcomps%20%3D%20Compare%20%24idlist.deviceid%20%24mbx.ActiveSyncBlockedDeviceIDs%3CBR%20%2F%3E%24addallowedid%20%3D%20%24allowedcomps%20%7C%20where%20%7B%24_.sideindicator%20-eq%20'%26lt%3B%3D'%7D%3CBR%20%2F%3E%24addblockedid%20%3D%20%24blockedcomps%20%7C%20where%20%7B%24_.sideindicator%20-eq%20'%3D%26gt%3B'%7D%3CBR%20%2F%3E%24mbxids%20%2B%3D%20%24addallowedid.InputObject%3CBR%20%2F%3E%24mbxids%20%2B%3D%20%24addblockedid.InputObject%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif%20(%24addallowedid.InputObject%20-gt%200)%7B%3CBR%20%2F%3E%24mbxids%20%7C%20Foreach-Object%20%7B%3CBR%20%2F%3ESet-CasMailbox%20%24mbx.Id%20-ActiveSyncAllowedDeviceIDs%20%40%7BAdd%3D%22%24_%22%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348273%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348273%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bcan%20you%20please%20help%20me%20with%20two%20questions%20about%20the%20%22new%22%20behavior%20which%20is%20now%20rolled%20out%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20Does%20the%20new%20behavior%20take%20effect%20for%20all%20users%20(connecting%20with%20Outlook%20mobile%20app)%20if%20%3CU%3Eany%3C%2FU%3E%20CA%20policies%20have%20the%20described%20attributes%3F%26nbsp%3B%20Or%20is%20it%20only%20in%20effect%20for%20the%20users%20who%20are%20targeted%20by%20those%20CA%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20figure%20out%20if%20we%20can%20simply%20target%20CA%20policies%20to%20some%20users%2C%20allowing%20them%20to%20use%20Outlook%20(either%20from%20managed%20device%20or%20with%20MAM%20policy%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20Is%20the%20new%20behavior%20documented%20somewhere%20on%20MS%20Docs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1876506%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1876506%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20if%20they%20had%20made%20the%20change%2C%20it's%20still%20not%20good%20enough.%26nbsp%3B%20It's%20very%20band-aid%20to%20start%20but%20worse%20is%20that%20it%20has%20no%20way%20to%20know%20if%20the%20policies%20would%20even%20target%20the%20user%20anyway.%26nbsp%3B%20The%20idea%20that%20EXO%20is%20sending%20that%20many%20requests%20to%20MS%20Graph%20for%20this%20kind%20of%20thing%20is%20a%20little%20crazy.%26nbsp%3B%20They%20mustn't%20have%20any%20MS%20Graph%20throttling%20to%20worry%20about%2C%20and%20that%20likely%20spills%20over%20causing%20additional%20throttling%20for%20regular%20customers%20using%20MS%20Graph.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20just%20a%20bad%20solution%20all%20around.%26nbsp%3B%20I%20wouldn't%20be%20surprised%20if%20these%20points%20I'm%20mentioning%20have%20at%20least%20some%20part%20in%20the%20reason%20for%20the%20postponement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEDIT%3A%20I%20shouldn't%20just%20gripe%20and%20give%20no%20suggestions.%26nbsp%3B%20It's%20definitely%20a%20difficult%20situation%20I'm%20sure.%26nbsp%3B%20But%20I%20think%20device%20access%20rules%20should%20just%20be%20left%20as%20they%20are%2C%20and%20customers%20need%20to%20know%20not%20to%20make%20conflicting%20settings%20between%20CA%20policies%20and%20device%20access%20rules.%26nbsp%3B%20I%20also%20think%20ALL%20get-AvtiveSync***%20cmdlets%20should%20have%20gotten%20new%20replacements%2C%20not%20just%20some.%26nbsp%3B%20It%20reveals%20the%20tendency%20to%20only%20get%20things%20half%20done.%26nbsp%3B%20Its%20been%20long%20enough%20now%20that%20that%20initiative%20should%20have%20been%20finished%20off.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1962531%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962531%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20is%20this%20going%20to%20happen%20in%202020%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1976641%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976641%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20this%20has%20started%20(as%20of%20Dec%209th).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2029323%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2029323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216033%22%20target%3D%22_blank%22%3E%40Jeremy%20Knight%3C%2FA%3E%26nbsp%3BShould%20this%20change%20have%20affected%20everyone%20by%20now%20or%20is%20Microsoft%20still%20rolling%20it%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2031185%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2031185%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%20-%20did%20this%20happen%3F%26nbsp%3B%20Please%20answer%20MS.%26nbsp%3B%20We%20are%20based%20in%20AUS%20and%20noticed%20that%20users%20that%20had%20been%20working%20were%20suddenly%20quarantined%20(as%20planned)%20but%20then%20it%20has%20stopped.%26nbsp%3B%20New%20users%20being%20allowed%20through%20because%20of%20MFA.%26nbsp%3B%20Was%20this%20patch%20rolled%20back%3F%26nbsp%3B%20Some%20information%20would%20be%20much%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%2C%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2037243%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2037243%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F917205%22%20target%3D%22_blank%22%3E%40hollierose%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F917779%22%20target%3D%22_blank%22%3E%40campbed1145%3C%2FA%3E%26nbsp%3BAs%20Jeremy%20indicated%2C%20we%20began%20a%20small%20rollout%20of%2010%25%20of%20worldwide%20tenants%20prior%20to%20the%20holiday.%20We%20increased%20rollout%20to%2020%25%20this%20week.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113257%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113257%22%20slang%3D%22en-US%22%3E%3CP%3EStill%20not%20finished%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Outlook%20Mobile%20is%20still%20not%20quarantining%20when%20allowed%20when%20Exchange%20access%20is%20allowed%26nbsp%3B%20through%20CA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113259%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113259%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216033%22%20target%3D%22_blank%22%3E%40Jeremy%20Knight%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20not%20finished%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Outlook%20Mobile%20is%20still%20not%20quarantining%20when%20allowed%20when%20Exchange%20access%20is%20allowed%26nbsp%3B%20through%20CA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113263%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113263%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20rolled%20this%20out%20to%20100%25%20of%20commercial%20tenants%20as%20of%20yesterday.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2852237%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2852237%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20configured%20work%20email%20in%20outlook%20android%20app%20(device%20not%20enrolled%20to%20intune.%20it%20is%20MAM-WE)%20and%20i%20still%20encountered%20the%20prompt%20to%20activate%20device%20administrator%20for%20outlook%20device%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20ensured%20that%20user%20licensed%20to%20ems%20e3.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECA%20is%20created%20and%20applied%20to%20the%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECloud%20app%20condition%3A%20Exchange%20Online%3CBR%20%2F%3EDevice%20platform%20condition%3A%20Android%3CBR%20%2F%3EClient%20apps%20condition%3A%20Mobile%20apps%20and%20desktop%20clients%3CBR%20%2F%3EOne%20of%20the%20following%20Grant%20access%20controls%3A%20Require%20approved%20client%20app%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Feb 08 2021 01:33 PM
Updated by: