%3CLINGO-SUB%20id%3D%22lingo-sub-1477509%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477509%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20this%20is%20a%20welcome%20change!%20I%20wrote%20an%20article%20about%20the%20current%20behaviour%20last%20year%20(%3CA%20href%3D%22https%3A%2F%2Fwww.gurot.com%2Fblog%2Feas-access-rules-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.gurot.com%2Fblog%2Feas-access-rules-exchange-online%3C%2FA%3E)%20and%20the%20fact%20that%20ABQ%20rules%20in%20the%20current%20implementation%20are%20pretty%20much%20useless...%20%3A(%3C%2Fimg%3E%20Also%2C%20the%20current%20implementation%20is%20very%20vaguely%20described%20in%20the%20documentation%20and%20does%20cause%20a%20lot%20of%20confusion.%20Thanks%20for%20making%20this%20change!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1478423%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1478423%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20mobile%20solutions%20are%20becoming%20mess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECustomers%20looking%20to%20manage%20Outlook%20for%20iOS%20and%20Android%20have%20the%20following%20options%3A%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3E%3CSTRONG%3ERecommended%3C%2FSTRONG%3E%3A%20The%20Enterprise%20Mobility%20%2B%20Security%20suite%2C%20which%20includes%20Microsoft%20Intune%20and%20Azure%20Active%20Directory%20conditional%20access.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EMobile%20Device%20Management%20(MDM)%20for%20Office%20365%20(free%2Fbuiltin%3F).%20%22%3CSPAN%3EMDM%20for%20Office%20365%20provides%20device%20management%20capabilities%20at%20no%20additional%20cost%3C%2FSPAN%3E%22%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EThird-party%20Mobile%20Device%20Management%20solutions.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EMobile%20Device%20Access%20and%20Mobile%20Device%20Mailbox%20Policies%20(free%2Fbuiltin%3F).%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fmanage-outlook-for-ios-and-android%23options-for-managing-devices-and-applications-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fmanage-outlook-for-ios-and-android%23options-for-managing-devices-and-applications-in-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Create%20rules%20that%20allow%20Outlook%20on%20Windows%20devices%20for%20Exchange%20ActiveSync%20connectivity%20(WP%20refers%20to%20Windows%20Phone%2C%20WP8%20refers%20to%20Windows%20Phone%208%20and%20later%2C%20and%20WindowsMail%20refers%20to%20the%20Mail%20app%20included%20in%20Windows%2010)%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3%20solutions%20from%20Microsoft%20for%20managing%20mobile%20devices%2C%20but%20there%20is%20no%20good%20diagnostics%20tool%20explaining%20what's%20going%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20question%3A%20The%20Microsoft%20built-in%20Mail%20app%20(Mail%20and%20Calendar%20in%20MS%20Store)%20-%20will%20it%20be%20affected%3F%20how%20it%20should%20be%20managed%3F%20Which%20Conditional%20Access%20policy%20should%20be%20used%3F%20Yes%2C%20this%20is%20enough%20for%20some%20of%20our%20users%2C%20as%20they%20don't%20need%20full%20Office%20%3CSTRIKE%3Epackage%3C%2FSTRIKE%3E%20price%20(security%20bonus%3A%20all%20Excel%2FWord%20macros%20are%20%22blocked%22%20%3Asmiling_face_with_smiling_eyes%3A).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490066%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129574%22%20target%3D%22_blank%22%3E%40Rafa%C5%82%20Fitt%3C%2FA%3E%26nbsp%3BI%20don't%20consider%20providing%20customers%20with%20options%20with%20varying%20degrees%20of%20different%20features%20and%20capabilities%2C%20a%20mess.%20%232%20and%20%234%20are%20built-in%20and%20available%20to%20customers%2C%20while%20%231%20and%20%233%20require%20additional%20licensing%2Fcost.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Windows%2010%20Mail%2FCalendar%20apps%20do%20use%20the%20same%20sync%20technology%20that%20Outlook%20mobile%20leverages.%20However%2C%20Windows%2010%20Mail%2FCalendar%20doesn't%20support%20Exchange%20device%20access%20rules%2C%20so%20that%20enforcement%20is%20skipped%20for%20those%20clients.%20The%20CA%20grant%20controls%2C%20Require%20approved%20client%20app%20and%20Require%20app%20protection%20policy%2C%20are%20only%20applicable%20to%20iOS%20and%20Android%20devices.%20The%20Require%20device%20to%20be%20marked%20as%20compliant%20can%20be%20used%2C%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496850%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496850%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20and%20glad%20to%20hear%20this%20is%20being%20addressed%20(the%20current%20state%20is%20news%20to%20me%20anyway).%26nbsp%3B%20I%20have%20a%20hopefully%20quick%20question%2C%20about%20the%20current%20state%2C%20and%20I%20guess%20the%20same%20question%20applies%20to%20the%20future%20state.%3C%2FP%3E%3CBLOCKQUOTE%3E%3CH2%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--643843438%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId--1323901808%22%3ECurrent%20behavior%3C%2FH2%3E%3CP%3EToday%2C%20if%20you%20configure%26nbsp%3Bany%26nbsp%3Bconditional%20access%20policy%20(regardless%20of%20its%20applicability%20to%20mobile%20devices)%2C%20Exchange%20Online%20will%20skip%20mobile%20device%20access%20rules%E2%80%99%20processing%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EBy%20%22any%22%2C%20does%20that%20mean%2C%20even%20regardless%20of%20any%20other%20conditions.%26nbsp%3B%20What%20I%20mean%20is%2C%20does%20the%20policy%20at%20least%20have%20to%20apply%20to%20Exchange%20Online%20as%20the%20cloud%20app%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20assuming%20yes%2C%20but%20I'm%20not%20sure%20exactly%20how%20Exchange%20Online%20and%20Azure%20AD%20are%20talking%20back%20and%20forth%20about%20this%20stuff.%26nbsp%3B%20I%20assume%20the%20response%2Ftoken%20that%20AAD%20gives%20the%20user%20when%20sending%20them%20back%20to%20Exchange%20Online%20(after%20authenticating%20through%20Azure%20AD)%20must%20contain%20info%20that%20tells%20EXO%20what%20grant%20controls%20were%20required%3F%26nbsp%3B%20Or%20does%20Exchange%20Online%20do%20some%20kind%20of%20recurring%20analysis%20of%20AAD%20Conditional%20Access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496860%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3Bno%2C%20EXO%20does%20not%20have%20to%20be%20specified%20as%20a%20cloud%20app%20in%20CA.%20Effectively%2C%20what's%20happening%20is%20that%20EXO%20is%20is%20making%20a%20graph%20API%20call.%20The%20API%20returns%20that%20there%20are%20CA%20policies%20in%20play%20(e.g.%2C%20a%20broad%20policy%20that%20ensures%20MFA%20is%20required)%2C%20which%20triggers%20EXO%20to%20not%20apply%20the%20device%20access%20rules.%26nbsp%3B%20The%20change%20rolling%20out%20in%20August%20ensures%20that%20we%20evaluate%20a%20particular%20claim%20(enfpolids)%20returned%20by%20the%20graph%20API%20and%20only%20skips%20device%20access%20rules%20if%20that%20claim%20is%20non-empty.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498202%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498202%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20explanation.%26nbsp%3B%20Neato.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500148%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500148%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20a%20few%20more%20questions%20regarding%20this%20Windows%2010%20Mail%20app%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EThe%20Windows%2010%20Mail%2FCalendar%20apps%20do%20use%20the%20same%20sync%20technology%20that%20Outlook%20mobile%20leverages.%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3ESo%20it%20is%20not%20ActiveSync%20I%20assume.%3C%2FP%3E%3CP%3E(relevant%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fsecure-email-recommended-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fsecure-email-recommended-policies%3Fview%3Do365-worldwide)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20this%20Windows%2010%20Mail%20app%20is%20using%20modern%20authentication%20or%20not%3F%3C%2FP%3E%3CP%3Eit%20is%20not%20listed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%3C%2FA%3E%3C%2FP%3E%3CP%3E(relevant%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(please%20forgive%20my%20confusion)%3C%2FP%3E%3CP%3E%22%3CSPAN%3EThe%20Require%20device%20to%20be%20marked%20as%20compliant%20can%20be%20used%2C%20though%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3ECompliant%20with%20fully-blown%20Windows%2010%20compliance%20policy%20from%20Intune%2C%20yes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20you%20mean%20this%20compliance%3F%3C%2FP%3E%3CP%3E%22%3CSPAN%3EYou%20can%20manage%20Windows%2010%20devices%20by%20enrolling%20them%20as%20mobile%20devices.%20After%20an%20applicable%20policy%20is%20deployed%2C%20users%20with%20Windows%2010%26nbsp%3Bdevices%20will%20be%20required%20to%20enroll%20in%20Mobile%20Device%20Management%20for%20Microsoft%20365%20Business%20Standard%20the%20first%20time%20they%20use%20the%20built-in%20email%20app%20to%20access%20their%20Microsoft%20365%20email%20(requires%20Azure%20AD%20premium%20subscription).%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fcapabilities-of-built-in-mobile-device-management-for-microsoft-365-a1da44e5-7475-4992-be91-9ccec25905b0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fcapabilities-of-built-in-mobile-device-management-for-microsoft-365-a1da44e5-7475-4992-be91-9ccec25905b0%3C%2FA%3E%3C%2FP%3E%3CP%3E%2B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3144451%2Fa-windows-10-device-is-enrolled-as-mobile-when-you-use-mobile-device-m%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3144451%2Fa-windows-10-device-is-enrolled-as-mobile-when-you-use-mobile-device-m%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500536%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500536%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20Windows%2010%20mail%20does%20not%20use%20ActiveSync%20(for%20EXO%20mailboxes).%20It%20uses%20the%20Microsoft%20sync%20technology.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20the%20Windows%2010%20mail%20app%20supports%20modern%20authentication.%20It's%20considered%20a%20%22Windows%2010%20Modern%20Apps%22%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FEnterprise%2Foffice-365-client-support-modern-authentication%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20the%20%22require%20device%20to%20be%20marked%20as%20compliant%22%20grant%20access%20control%20can%20be%20used%20to%20ensure%20Windows%20devices%20are%20enrolled.%20This%20section%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fidentity-access-policies%3Fview%3Do365-worldwide%23require-compliant-pcs-but-not-compliant-phones-and-tablets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fidentity-access-policies%3Fview%3Do365-worldwide%23require-compliant-pcs-but-not-compliant-phones-and-tablets%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500711%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500711%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHmm%2C%20but%20Microsoft%20Corp.%20knows%20better%20%3Ap%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWindowsMail%20is%20listed%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2Fecp%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2Fecp%2F%3C%2FA%3E%26nbsp%3Bin%20Exchange%20ActiveSync%20Device%20Access%20rules%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Adnotacja%202020-07-01%20082509.png%22%20style%3D%22width%3A%20404px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202480i327A16C791C746CF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Adnotacja%202020-07-01%20082509.png%22%20alt%3D%22Adnotacja%202020-07-01%20082509.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Create%20rules%20that%20allow%20Outlook%20on%20Windows%20devices%20for%20%3CU%3EExchange%20ActiveSync%3C%2FU%3E%20connectivity%20(%3CU%3EWindowsMail%20refers%20to%20the%20Mail%20app%20included%20in%20Windows%2010%3C%2FU%3E)%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20looks%20like%20Mail%20app%20is%20%22forgotten%22%20in%20all%20Microsoft%20documentation%2C%20but%26nbsp%3Bfrom%20admin%20point%20of%20view%20it%20is%20%22better%22%20than%20other%20email%20clients%20-%20it%20auto-updates%20without%20admin%20rights%20in%20background.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDefinitely%20Mail%20app%20needs%20some%20love%20from%20you%20guys.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505895%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505895%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20does%20the%20change%20rolling%20out%20Aug%202020%20impact%20the%20native%20iOS%20Mail%20app%20configured%20with%20Exchange%20Activesync%20or%20just%20Outlook%20for%20iOS%20and%20Android%20devices%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EPablo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1506241%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506241%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F720546%22%20target%3D%22_blank%22%3E%40PCH1-IT%3C%2FA%3E%26nbsp%3BThis%20change%20only%20affects%20Outlook%20for%20iOS%20and%20Android.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509321%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3Bis%20this%20change%20only%20applicable%20for%20tenants%20with%20Azure%20AD%20conditional%20access%20policies%20in%20place%3F%20If%20there%20is%20no%20CA%20policy%20in%20place%2C%20there%20will%20be%20no%20impact%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509364%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F722493%22%20target%3D%22_blank%22%3E%40lwood50%3C%2FA%3E%26nbsp%3B-%20yes%20this%20is%20only%20applicable%20if%20CA%20is%20in%20use.%20Note%20that%20Azure%20AD%20security%20defaults%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E)%20like%20MFA%20are%20using%20conditional%20access%20behind%20the%20scenes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521143%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EEarlier%26nbsp%3B%3CSTRONG%3ESend%20to%20OneNote%3C%2FSTRONG%3E%26nbsp%3Bwas%20not%20working%20on%20devices%20with%20%3CSTRONG%3EConditional%20Access%20policy%3C%2FSTRONG%3E%20is%20in%20place.%20Will%20it%20address%20that%20issue%20too%3F%3C%2FP%3E%0A%3CP%3ESimilar%20to%20%3CSTRONG%3EInsert%20Meeting%20Details%3C%2FSTRONG%3E%2C%20%3CSTRONG%3ESend%20to%20OneNote%3C%2FSTRONG%3E%20add-in%20in%20Outlook%20is%20implemented%20as%26nbsp%3B%3CSTRONG%3EOffice%20dialogue%20API%3C%2FSTRONG%3E.%20It%20wasn't%20supported%20with%20Intune%20policies%20on%20Android%20or%20iOS%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521465%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F446547%22%20target%3D%22_blank%22%3E%40Gaurav0327%3C%2FA%3E%26nbsp%3BRandom%20question%20on%20a%20random%20blog%20article%2C%20eh%3F%20%3A)%3C%2Fimg%3E%20Not%20sure%20what%20issue%20you%20are%20referring%20this%2C%20but%20it%20has%20nothing%20to%20do%20with%20this%20change.%20If%20the%20question%20is%20how%20can%20a%20user%20authenticated%20in%20Outlook%20mobile%20to%20use%20the%20Send%20to%20OneNote%20feature.%20Then%20the%20answer%20is%20that%20Send%20to%20OneNote%20in%20Outlook%20mobile%20does%20not%20allow%26nbsp%3B%3CSPAN%3Eusers%20to%20sign%20into%20the%20add-in.%20They%20must%20sign-in%20to%20the%20OneNote%20add-in%20using%20Outlook%20desktop%2C%20Outlook%20for%20Mac%2C%20or%20Outlook%20web%20app%20from%20a%20PC%2FMac.%20This%20is%20a%20design%20choice%20to%20ensure%20that%20work%20or%20school%20account%20data%20cannot%20be%20exfiltrated%20to%20personal%20OneNote%20account%20via%20the%20add-in.%26nbsp%3BAdd-ins%20in%20Outlook%20mobile%20are%20not%20protected%20by%20the%20Intune%20App%20Protection%20Policy%20-%20they%20are%20considered%20unmanaged.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528403%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528403%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20is%20the%20this%20case%20handled%3A%3C%2FP%3E%3CP%3EADD%20Conditional%20Access%3A%20A%20rule%20that%20grant%20%22Approved%20Client%20Apps%22%20in%20Condition%20with%20-%26gt%3B%20Client%20Apps%20-%26gt%3B%20Browser%20(only)%20(User%20can%20just%20access%20with%20Edge%20or%20Intune%20Browser).%20No%20rule%20for%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20AAD%20CA%20rule%20bypass%20the%20Exchange%20CA%20with%20the%20new%20behaviour%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1540642%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1540642%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20I'm%20looking%20into%20our%20CA%20policies%20to%20check%20which%20would%20start%20processing%20the%20device%20access%20rules%20and%20pose%20an%20issue%20(have%20the%20org%20setting%20on%20quarantine)%20Initially%20you%20mention%20that%20the%20CA%20policy%20does%20not%20even%20have%20to%20be%20targeted%20to%20mobile%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20than%20correct%20from%20august%20onward%3C%2FP%3E%3CP%3EIf%20your%20User%20is%20targeted%20in%3CSTRONG%3E%20any%20CA%20policy%3C%2FSTRONG%3E%26nbsp%3Bwhich%20does%20not%20have%20Grant%20access%20controls%20selected%20will%20process%20the%20Device%20access%20rules%20%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EDevice%20access%20rules%20are%20also%20applied%20if%20the%20%3CSTRONG%3Eone%20of%20the%20CA%20policy%3C%2FSTRONG%3E%20is%20set%20to%20Block%20or%20use%20Session%20controls%20%3F%3C%2FP%3E%3CP%3EIs%20the%20webbased%20access%20to%20exchange%20online%26nbsp%3B%20also%20blocked%20if%20a%20device%20is%20quarantined%20or%20only%20the%20outlook%20app%20on%20IOS%20and%20Android%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1548010%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548010%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20very%20nice%20article.%3C%2FP%3E%3CP%3EI%20do%20have%20a%20question.%20I%20have%20a%20CA%20that%20has%20Grant%20Access%20if%20the%20device%20is%20Compliant%20for%20a%20smaller%20subset%20of%20users.%20Does%20this%20satisfy%20the%20requirement%20as%20stated%20above%20for%20all%20of%20our%20users%20(%3CSTRONG%3Ethe%20statement%20above%3A%20%22%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EThe%20good%20news%20is%20that%20if%20you%20are%20utilizing%20one%20(or%20more%20of)%20these%20grant%20access%20controls%2C%20your%20Outlook%20for%20iOS%20and%20Android%20users%20will%20not%20be%20affected.%22%3C%2FSTRONG%3E)%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOr%20does%20that%20only%20satisfy%20the%20CA%20requirements%20the%20users%20within%20that%20particular%20group%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1548027%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F741136%22%20target%3D%22_blank%22%3E%40RayTheil2112%3C%2FA%3E%26nbsp%3B-%20only%20those%20users%20who%20have%20that%20CA%20policy%20will%20now%20have%20Exchange%20device%20access%20rules%20excluded%20for%20Outlook%20mobile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1563724%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1563724%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20idea%20when%20this%20will%20go%20into%20effect%20for%20all%20users%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1563806%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1563806%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F748349%22%20target%3D%22_blank%22%3E%40Gudhery%3C%2FA%3E%26nbsp%3B-%20hard%20to%20say%20as%20we're%20going%20to%20roll%20this%20out%20slowly%20and%20ensure%20there%20are%20no%20issues%20and%20or%20increase%20in%20support%20tickets%20before%20deploying%20broadly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571337%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571337%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20currently%20chasing%20the%20ghost%20of%20Get-MobileDevice%20and%20Get-MobileDeviceStatistics%20%2F%20Get-EXOMobileDeviceStatistics%20for%20the%20exact%20same%20device%20(usually%20Outlook%20for%20iOS)%20showing%20different%20access%20states%20after%20manually%20approving%20said%20device%20out%20of%20quarantine.%26nbsp%3B%20The%20former%20showing%20allowed%20with%20the%20latter%20two%20showing%20quarantined.%26nbsp%3B%20We're%20only%20leveraging%20Exchange%20Online%20Device%20access%20(with%20our%20default%20ActiveSync%20Organization%20Settings%20set%20to%20quarantine).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20this%20change%20might%20help%20prevent%20this%20situation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1601090%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20i%20have%20a%20CA%20policy%20assigned%20to%20the%20user%20with%20%3CSTRONG%3ESession%20control%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EBlock%3C%2FSTRONG%3E%20the%20exchange%20device%20access%20rules%20will%20still%20be%20processed%20%3F%3C%2FP%3E%3CP%3EIt%20seems%20the%20skipping%20is%20only%20done%20on%20specific%20Grant%20Access%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623813%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623813%22%20slang%3D%22en-US%22%3E%3CP%3EAugust%20has%20gone%20and%20I%20still%20don't%20see%20the%20change%20in%20behavior.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1464261%22%20slang%3D%22en-US%22%3EUpcoming%20Exchange%20Online%20Device%20Access%20and%20Conditional%20Access%20changes%20with%20Outlook%20mobile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1464261%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22note%22%3E%3CSTRONG%3EUpdate%3A%26nbsp%3B%3C%2FSTRONG%3Ethe%20change%20mentioned%20in%20this%20article%20did%20%3CEM%3Enot%3C%2FEM%3E%20roll%20out%20in%20August%202020%20as%20planned%3B%20the%20update%20will%20occur%20later%20in%20Q4%20calendar%20year%202020.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20you%20may%20rely%20on%20Exchange%20Online%20mobile%20device%20access%20rules%20to%20ensure%20that%20only%20approved%20devices%20(or%20apps)%20access%20your%20messaging%20data.%20By%20default%2C%20an%20Exchange%20Online%20tenant%20allows%20access%20for%20all%20mobile%20devices.%20Admins%20can%20change%20this%20behavior%20to%20either%20block%20or%20quarantine%20devices%20with%20the%20following%20cmdlet%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESet-ActiveSyncOrganizationSettings%20-DefaultAccessLevel%20%3CALLOW%3E%3C%2FALLOW%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExchange%20mobile%20device%20access%20rules%20can%20even%20be%20used%20to%20manage%20Outlook%20for%20iOS%20and%20Android%3B%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E%3CSPAN%3E%20for%20examples.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ELikewise%2C%20many%20of%20you%20have%20moved%20away%20from%20leveraging%20Exchange%20mobile%20device%20access%20rules%20and%20moved%20to%20a%20more%20comprehensive%20solution%20%E2%80%93%20Azure%20AD%20Conditional%20Access%20policies.%3C%2FP%3E%0A%3CP%3EWhat%20you%20may%20not%20know%20is%20the%20interaction%20between%20Exchange%E2%80%99s%20mobile%20device%20access%20rules%20and%20Azure%20Active%20Directory%20Conditional%20Access%20policies%20when%20using%20Outlook%20for%20iOS%20and%20Android.%20This%20article%20describes%20how%20these%20policies%20work%20today%20and%20what%20is%20changing%20in%20August%202020.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1323901808%22%20id%3D%22toc-hId-1163611025%22%3ECurrent%20behavior%3C%2FH2%3E%0A%3CP%3EToday%2C%20if%20you%20configure%20%3CU%3Eany%3C%2FU%3E%20conditional%20access%20policy%20(regardless%20of%20its%20applicability%20to%20mobile%20devices)%2C%20Exchange%20Online%20will%20skip%20mobile%20device%20access%20rules%E2%80%99%20processing%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20let%E2%80%99s%20say%20in%20your%20tenant%20you%20have%20no%20conditional%20access%20policies%20targeting%20iOS%20or%20Android%20devices%2C%20but%20you%20have%20a%20policy%20that%20ensures%20Windows%20devices%20are%20managed.%20This%20conditional%20access%20policy%20targets%20the%20Windows%20platform%20and%20leverages%20the%20following%20grant%20access%20controls%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CAChanges01.jpg%22%20style%3D%22width%3A%20368px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198918i653DC0EBF715E327%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22CAChanges01.jpg%22%20alt%3D%22CAChanges01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWith%20this%20configuration%2C%20you%20may%20expect%20that%20Outlook%20for%20iOS%20and%20Android%20would%20be%20subject%20to%20Exchange%E2%80%99s%20mobile%20device%20access%20policies%20because%20there%20are%20no%20conditional%20access%20policies%20in%20play%20for%20iOS%20and%20Android%20devices.%20However%2C%20that%E2%80%99s%20not%20the%20case.%20When%20Outlook%20for%20iOS%20and%20Android%20connects%20to%20Exchange%20Online%2C%20Exchange%20Online%20executes%20a%20Graph%20API%20call%20to%20Azure%20AD%20and%20determines%20that%20there%20are%20conditional%20access%20policies%20associated%20with%20the%20user%20and%20skips%20the%20processing%20of%20the%20Exchange%20device%20access%20policies.%20You%20can%20see%20this%20by%20querying%20the%20device%20in%20Get-MobileDeviceStatistics%20as%20the%20DeviceAccessStateReason%20is%20set%20to%20ExternallyManaged%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EGet-MobileDeviceStatistics%20-mailbox%20Natasha%20%7C%20where%20%7B%24_.DeviceModel%20-eq%20%22Outlook%20for%20iOS%20and%20Android%22%7D%20%7C%20fl%20LastSuc*%2CDeviceAccess*%0ALastSuccessSync%20%20%20%20%20%20%20%20%20%3A%206%2F9%2F2020%2010%3A35%3A13%20PM%0ADeviceAccessState%20%20%20%20%20%20%20%3A%20Allowed%0ADeviceAccessStateReason%20%3A%20ExternallyManaged%0ADeviceAccessControlRule%20%3A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1163611025%22%20id%3D%22toc-hId--643843438%22%3EFuture%20behavior%3C%2FH2%3E%0A%3CP%3EObviously%2C%20that%20is%20not%20the%20desired%20behavior.%20Beginning%20in%20August%202020%2C%20we%20are%20rolling%20out%20changes%20in%20Exchange%20Online%20to%20ensure%20that%20only%20certain%20Conditional%20Access%20policies%20bypass%20Exchange%E2%80%99s%20mobile%20device%20access%20rules%20for%20Outlook%20for%20iOS%20and%20Android%20devices.%20Specifically%2C%20only%20Conditional%20Access%20policies%20configured%20with%20the%20following%20grant%20access%20controls%20will%20prevent%20Exchange%20mobile%20device%20access%20rules%20being%20applied%20to%20Outlook%20for%20iOS%20and%20Android%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERequire%20device%20to%20be%20marked%20as%20compliant%3C%2FLI%3E%0A%3CLI%3ERequire%20approved%20client%20app%3C%2FLI%3E%0A%3CLI%3ERequire%20app%20protection%20policy%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20more%20information%20on%20these%20grant%20access%20controls%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%3A%20Grant%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EThe%20good%20news%20is%20that%20if%20you%20are%20utilizing%20one%20(or%20more%20of)%20these%20grant%20access%20controls%2C%20your%20Outlook%20for%20iOS%20and%20Android%20users%20will%20not%20be%20affected.%3C%2FP%3E%0A%3CP%3EHowever%2C%20if%20you%20are%20utilizing%20Conditional%20Access%20policies%20that%20do%20not%20leverage%20the%20above%20grant%20access%20controls%20and%20have%20configured%20the%20mobile%20device%20access%20level%20within%20Exchange%20Online%20to%20block%20or%20quarantine%20devices%2C%20users%20using%20Outlook%20for%20iOS%20and%20Android%20will%20be%20blocked%20or%20quarantined%20by%20Exchange%20Online%20after%20this%20change%20is%20implemented.%20By%20default%2C%20the%20mobile%20device%20access%20level%20in%20Exchange%20Online%20is%20set%20to%20allow.%20You%20have%20a%20few%20different%20options%20on%20how%20you%20can%20remediate%20this%20prior%20to%20the%20change%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EImplement%20Microsoft%20Endpoint%20Manager%20and%20one%20of%20the%20above%20grant%20access%20controls.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-enterprise-mobility--security-suite-to-protect-corporate-data-with-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELeveraging%20Enterprise%20Mobility%20%2B%20Security%20suite%20to%20protect%20corporate%20data%20with%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3ECreate%20an%20Exchange%20Online%20device%20access%20rule%20that%20allows%20Outlook%20for%20iOS%20and%20Android.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23option-1-block-all-email-apps-except-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EManually%20add%20the%20user%E2%80%99s%20Outlook%20for%20iOS%20and%20Android%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property.%20To%20obtain%20the%20Device%20ID%2C%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fget-mobiledevicestatistics%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGet-MobileDeviceStatistics%3C%2FA%3E.%20To%20add%20the%20Device%20ID%20to%20the%20user%E2%80%99s%20ActiveSyncAllowedDeviceIDs%20property%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fset-casmailbox%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESet-CASMailbox%3C%2FA%3E.%20An%20example%20script%20is%20provided%20that%20can%20be%20modified%20to%20automate%20this%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%24mbxs%20%3D%20Get-CASMailbox%20-Filter%20%7B%20HasActiveSyncDevicePartnership%20-eq%20%24true%20%7D%20-ResultSize%2010000%0Aforeach(%24mbx%20in%20%24mbxs)%0A%7B%0A%24IDList%20%3D%20Get-EXOMobileDeviceStatistics%20-Mailbox%20%24mbx.id%20%7C%20where%20%7B%24_.LastSuccessSync%20-ge%20%222020-06-01%22%20-and%20%24_.DeviceModel%20-eq%20%22Outlook%20for%20iOS%20and%20Android%22%7D%0AIf(!%24IDList)%20%7B%20continue%20%7D%0Aforeach(%24ID%20in%20%24IDList)%20%7B%24mbx.ActiveSyncAllowedDeviceIDs%20%2B%3D%20%24ID.DeviceID%7D%0ASet-CasMailbox%20%24mbx.Id%20-ActiveSyncAllowedDeviceIDs%20%24mbx.ActiveSyncAllowedDeviceIDs%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EChange%20the%20default%20access%20level%20to%20Allow.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fset-activesyncorganizationsettings%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESet-ActiveSyncOrganizationSettings%3C%2FA%3E.%20This%20change%20allows%20all%20mobile%20devices%2C%20regardless%20of%20type%2C%20to%20connect.%3C%2FLI%3E%0A%3CLI%3EAlternatively%2C%20organizations%20can%20retain%20their%20default%20mobile%20device%20access%20level%20and%20wait%20for%20this%20change%20to%20take%20place%20and%20manually%20allow%20each%20device%20as%20they%20are%20quarantined%2Fblocked.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22note%22%3E%3CSTRONG%3EImportant%3C%2FSTRONG%3E%3A%20Because%20Outlook%20for%20iOS%20and%20Android%E2%80%99s%20device%20IDs%20are%20not%20governed%20by%20any%20physical%20device%20ID%2C%20the%20ID%20can%20change%20without%20notice.%20When%20this%20happens%2C%20it%20can%20cause%20unintended%20consequences%20when%20device%20IDs%20are%20used%20for%20managing%20user%20devices%2C%20as%20existing%20'allowed'%20devices%20may%20be%20unexpectedly%20blocked%20or%20quarantined%20by%20Exchange.%20Therefore%2C%20we%20recommend%20administrators%20only%20set%20mobile%20device%20access%20policies%20for%20Outlook%20for%20iOS%20and%20Android%20that%20allow%2Fblock%20devices%20based%20on%20device%20type%20or%20device%20model.%3C%2FP%3E%0A%3CP%3EWe%20believe%20the%20changes%20we%E2%80%99re%20implementing%20are%20the%20right%20approach%20for%20improving%20the%20overall%20security%20for%20Outlook%20for%20iOS%20and%20Android%20devices%20by%20only%20skipping%20Exchange%20mobile%20device%20access%20rules%20when%20the%20device%20is%20managed%20by%20Intune.%20If%20you%20have%20any%20questions%2C%20please%20let%20us%20know.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3ERoss%20Smith%20IV%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1464261%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20of%20you%20may%20rely%20on%20Exchange%20Online%20mobile%20device%20access%20rules%20to%20ensure%20that%20only%20approved%20devices%20(or%20apps)%20access%20your%20messaging%20data.%20We%20wanted%20to%20mention%20some%20upcoming%20changes.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1464261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Update: the change mentioned in this article did not roll out in August 2020 as planned; the update will occur later in Q4 calendar year 2020.

 

Many of you may rely on Exchange Online mobile device access rules to ensure that only approved devices (or apps) access your messaging data. By default, an Exchange Online tenant allows access for all mobile devices. Admins can change this behavior to either block or quarantine devices with the following cmdlet:

 

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel <Allow,Quarantine,Block>

 

Exchange mobile device access rules can even be used to manage Outlook for iOS and Android; see Block all email apps except Outlook for iOS and Android for examples.

Likewise, many of you have moved away from leveraging Exchange mobile device access rules and moved to a more comprehensive solution – Azure AD Conditional Access policies.

What you may not know is the interaction between Exchange’s mobile device access rules and Azure Active Directory Conditional Access policies when using Outlook for iOS and Android. This article describes how these policies work today and what is changing in August 2020.

Current behavior

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

For example, let’s say in your tenant you have no conditional access policies targeting iOS or Android devices, but you have a policy that ensures Windows devices are managed. This conditional access policy targets the Windows platform and leverages the following grant access controls:

CAChanges01.jpg

With this configuration, you may expect that Outlook for iOS and Android would be subject to Exchange’s mobile device access policies because there are no conditional access policies in play for iOS and Android devices. However, that’s not the case. When Outlook for iOS and Android connects to Exchange Online, Exchange Online executes a Graph API call to Azure AD and determines that there are conditional access policies associated with the user and skips the processing of the Exchange device access policies. You can see this by querying the device in Get-MobileDeviceStatistics as the DeviceAccessStateReason is set to ExternallyManaged:

 

Get-MobileDeviceStatistics -mailbox Natasha | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | fl LastSuc*,DeviceAccess*
LastSuccessSync         : 6/9/2020 10:35:13 PM
DeviceAccessState       : Allowed
DeviceAccessStateReason : ExternallyManaged
DeviceAccessControlRule :

 

Future behavior

Obviously, that is not the desired behavior. Beginning in August 2020, we are rolling out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s mobile device access rules for Outlook for iOS and Android devices. Specifically, only Conditional Access policies configured with the following grant access controls will prevent Exchange mobile device access rules being applied to Outlook for iOS and Android:

  • Require device to be marked as compliant
  • Require approved client app
  • Require app protection policy

For more information on these grant access controls, see Conditional Access: Grant.

The good news is that if you are utilizing one (or more of) these grant access controls, your Outlook for iOS and Android users will not be affected.

However, if you are utilizing Conditional Access policies that do not leverage the above grant access controls and have configured the mobile device access level within Exchange Online to block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented. By default, the mobile device access level in Exchange Online is set to allow. You have a few different options on how you can remediate this prior to the change:

  1. Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and A....
  2. Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
  3. Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox. An example script is provided that can be modified to automate this:

 

$mbxs = Get-CASMailbox -Filter { HasActiveSyncDevicePartnership -eq $true } -ResultSize 10000
foreach($mbx in $mbxs)
{
$IDList = Get-EXOMobileDeviceStatistics -Mailbox $mbx.id | where {$_.LastSuccessSync -ge "2020-06-01" -and $_.DeviceModel -eq "Outlook for iOS and Android"}
If(!$IDList) { continue }
foreach($ID in $IDList) {$mbx.ActiveSyncAllowedDeviceIDs += $ID.DeviceID}
Set-CasMailbox $mbx.Id -ActiveSyncAllowedDeviceIDs $mbx.ActiveSyncAllowedDeviceIDs
}

 

  1. Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
  2. Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

We believe the changes we’re implementing are the right approach for improving the overall security for Outlook for iOS and Android devices by only skipping Exchange mobile device access rules when the device is managed by Intune. If you have any questions, please let us know.

Ross Smith IV

24 Comments
Occasional Contributor

Hello, this is a welcome change! I wrote an article about the current behaviour last year (https://www.gurot.com/blog/eas-access-rules-exchange-online) and the fact that ABQ rules in the current implementation are pretty much useless... :( Also, the current implementation is very vaguely described in the documentation and does cause a lot of confusion. Thanks for making this change!

 

Occasional Contributor

Microsoft mobile solutions are becoming mess.

 

Customers looking to manage Outlook for iOS and Android have the following options:

  1. Recommended: The Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory conditional access.

  2. Mobile Device Management (MDM) for Office 365 (free/builtin?). "MDM for Office 365 provides device management capabilities at no additional cost"

  3. Third-party Mobile Device Management solutions.

  4. Mobile Device Access and Mobile Device Mailbox Policies (free/builtin?).

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

"Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app included in Windows 10)"

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

3 solutions from Microsoft for managing mobile devices, but there is no good diagnostics tool explaining what's going on.

 

@The_Exchange_Team 

my question: The Microsoft built-in Mail app (Mail and Calendar in MS Store) - will it be affected? how it should be managed? Which Conditional Access policy should be used? Yes, this is enough for some of our users, as they don't need full Office package price (security bonus: all Excel/Word macros are "blocked" :smiling_face_with_smiling_eyes:).

Microsoft

@Rafał Fitt I don't consider providing customers with options with varying degrees of different features and capabilities, a mess. #2 and #4 are built-in and available to customers, while #1 and #3 require additional licensing/cost.

 

The Windows 10 Mail/Calendar apps do use the same sync technology that Outlook mobile leverages. However, Windows 10 Mail/Calendar doesn't support Exchange device access rules, so that enforcement is skipped for those clients. The CA grant controls, Require approved client app and Require app protection policy, are only applicable to iOS and Android devices. The Require device to be marked as compliant can be used, though.

Contributor

Thanks and glad to hear this is being addressed (the current state is news to me anyway).  I have a hopefully quick question, about the current state, and I guess the same question applies to the future state.

Current behavior

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

By "any", does that mean, even regardless of any other conditions.  What I mean is, does the policy at least have to apply to Exchange Online as the cloud app?

 

I'm assuming yes, but I'm not sure exactly how Exchange Online and Azure AD are talking back and forth about this stuff.  I assume the response/token that AAD gives the user when sending them back to Exchange Online (after authenticating through Azure AD) must contain info that tells EXO what grant controls were required?  Or does Exchange Online do some kind of recurring analysis of AAD Conditional Access policies?

 

Thanks in advance.

 

Microsoft

@Jeremy Bradshaw no, EXO does not have to be specified as a cloud app in CA. Effectively, what's happening is that EXO is is making a graph API call. The API returns that there are CA policies in play (e.g., a broad policy that ensures MFA is required), which triggers EXO to not apply the device access rules.  The change rolling out in August ensures that we evaluate a particular claim (enfpolids) returned by the graph API and only skips device access rules if that claim is non-empty.

Contributor

@Ross Smith IV Thanks for the explanation.  Neato.

Occasional Contributor

@Ross Smith IV 

I got a few more questions regarding this Windows 10 Mail app:

 

"The Windows 10 Mail/Calendar apps do use the same sync technology that Outlook mobile leverages."

So it is not ActiveSync I assume.

(relevant for https://docs.microsoft.com/en-us/microsoft-365/enterprise/secure-email-recommended-policies?view=o36...

 

And this Windows 10 Mail app is using modern authentication or not?

it is not listed here: https://docs.microsoft.com/en-us/Office365/Enterprise/office-365-client-support-modern-authenticatio...

(relevant for https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authenticati...

 

(please forgive my confusion)

"The Require device to be marked as compliant can be used, though"

Compliant with fully-blown Windows 10 compliance policy from Intune, yes?

 

or you mean this compliance?

"You can manage Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 10 devices will be required to enroll in Mobile Device Management for Microsoft 365 Business Standard the first time they use the built-in email app to access their Microsoft 365 email (requires Azure AD premium subscription)."

https://support.microsoft.com/en-us/office/capabilities-of-built-in-mobile-device-management-for-mic...

+

https://support.microsoft.com/en-us/help/3144451/a-windows-10-device-is-enrolled-as-mobile-when-you-...

Microsoft

No, Windows 10 mail does not use ActiveSync (for EXO mailboxes). It uses the Microsoft sync technology.

 

Yes, the Windows 10 mail app supports modern authentication. It's considered a "Windows 10 Modern Apps" in https://docs.microsoft.com/en-us/Office365/Enterprise/office-365-client-support-modern-authenticatio....

 

Yes, the "require device to be marked as compliant" grant access control can be used to ensure Windows devices are enrolled. This section - https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-access-policies?view=o365-worldwi...

Occasional Contributor

@Ross Smith IV

 

Hmm, but Microsoft Corp. knows better :p

 

WindowsMail is listed in https://outlook.office365.com/ecp/ in Exchange ActiveSync Device Access rules:

Adnotacja 2020-07-01 082509.png

 

"Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WindowsMail refers to the Mail app included in Windows 10)"

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

it looks like Mail app is "forgotten" in all Microsoft documentation, but from admin point of view it is "better" than other email clients - it auto-updates without admin rights in background.

 

Definitely Mail app needs some love from you guys.

Frequent Visitor

Hi, does the change rolling out Aug 2020 impact the native iOS Mail app configured with Exchange Activesync or just Outlook for iOS and Android devices?

 

Thanks,

Pablo

Microsoft

@PCH1-IT This change only affects Outlook for iOS and Android.

Occasional Visitor

@Ross Smith IV is this change only applicable for tenants with Azure AD conditional access policies in place? If there is no CA policy in place, there will be no impact? 

Microsoft

@lwood50 - yes this is only applicable if CA is in use. Note that Azure AD security defaults (https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-default...) like MFA are using conditional access behind the scenes.

Microsoft

@The_Exchange_Team @Ross Smith IV 
Earlier Send to OneNote was not working on devices with Conditional Access policy is in place. Will it address that issue too?

Similar to Insert Meeting Details, Send to OneNote add-in in Outlook is implemented as Office dialogue API. It wasn't supported with Intune policies on Android or iOS devices?

Microsoft

@Gaurav0327 Random question on a random blog article, eh? :) Not sure what issue you are referring this, but it has nothing to do with this change. If the question is how can a user authenticated in Outlook mobile to use the Send to OneNote feature. Then the answer is that Send to OneNote in Outlook mobile does not allow users to sign into the add-in. They must sign-in to the OneNote add-in using Outlook desktop, Outlook for Mac, or Outlook web app from a PC/Mac. This is a design choice to ensure that work or school account data cannot be exfiltrated to personal OneNote account via the add-in. Add-ins in Outlook mobile are not protected by the Intune App Protection Policy - they are considered unmanaged. 

Occasional Contributor

Hi,

 

how is the this case handled:

ADD Conditional Access: A rule that grant "Approved Client Apps" in Condition with -> Client Apps -> Browser (only) (User can just access with Edge or Intune Browser). No rule for apps.

 

Does this AAD CA rule bypass the Exchange CA with the new behaviour?

 

best regards

@Ross Smith IV  and @The_Exchange_Team  I'm looking into our CA policies to check which would start processing the device access rules and pose an issue (have the org setting on quarantine) Initially you mention that the CA policy does not even have to be targeted to mobile devices. 

 

Is it than correct from august onward

If your User is targeted in any CA policy which does not have Grant access controls selected will process the Device access rules ?  

Device access rules are also applied if the one of the CA policy is set to Block or use Session controls ?

Is the webbased access to exchange online  also blocked if a device is quarantined or only the outlook app on IOS and Android ?

Occasional Visitor

Hello, very nice article.

I do have a question. I have a CA that has Grant Access if the device is Compliant for a smaller subset of users. Does this satisfy the requirement as stated above for all of our users (the statement above: "The good news is that if you are utilizing one (or more of) these grant access controls, your Outlook for iOS and Android users will not be affected.")?

 

Or does that only satisfy the CA requirements the users within that particular group? 

 

 

Microsoft

@RayTheil2112 - only those users who have that CA policy will now have Exchange device access rules excluded for Outlook mobile.

Occasional Visitor

Any idea when this will go into effect for all users

Microsoft

@Gudhery - hard to say as we're going to roll this out slowly and ensure there are no issues and or increase in support tickets before deploying broadly.

Occasional Visitor

I'm currently chasing the ghost of Get-MobileDevice and Get-MobileDeviceStatistics / Get-EXOMobileDeviceStatistics for the exact same device (usually Outlook for iOS) showing different access states after manually approving said device out of quarantine.  The former showing allowed with the latter two showing quarantined.  We're only leveraging Exchange Online Device access (with our default ActiveSync Organization Settings set to quarantine).

 

Perhaps this change might help prevent this situation.

@Ross Smith IV  @The_Exchange_Team 

 

If i have a CA policy assigned to the user with Session control or Block the exchange device access rules will still be processed ?

It seems the skipping is only done on specific Grant Access

Occasional Visitor

August has gone and I still don't see the change in behavior.