Restrict email access to Exchange Online

MVP

Hi all,

 

I have a situation of a customer without an on-prem Active Directory, only using some cloud apps, like Office 365.
They want to block access to (in first place) e-mail on non managed devices. I know I can use Conditional Access policies to set this up for mobile devices (the new Intune MAM) policies, but how can I block access to Exchange Online by using Outlook on non-managed devices? I`ve been reading articles about this, but that always ends up using ADFS and that is not possible for this customer.

 

The customer is running Windows 7 and 10, but t is ok if this solution is only going to work with Win10 (Azure AD joined/ Intune enrolled), than we upgrade al devices.


Is there anybody to advice me how to set this up, or point me in the right direction?

 

Thank you!

Regards,

 

Peter

6 Replies

Conditional access is not only tied to devices, you can have criteria such as location (IP range). Incidentaly, they just added this blade in the new Azure portal so you can see fresh screenshots here: https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-...

Thanks @Vasil Michev Was playing with that new options yesterday. It does block OWA and the Win10 build-in mail app, but does not block Outlook. Maybe I`ve done something wrong in my setup, but I`ve not been able to block Outlook on non-managed (not domain joined) Windows devices yet.

I have enabled modern authentication for Exchange Online.
It now shows me a message access is blocked when I try to connect using Outlook, but is does that on a domain joined device as well. So I have no access to Exchange Online anymore with my test users. 

Try using an IP range, the "device is domain joined" requires device registration if I remember correctly.

Is says "This does not include Azure AD join".

When I use a trusted IP, it allows me to connect, but when using a laptop outside of the internal network it will block access and that is something we don`t want.

Oh sorry, seems I forgot the original question. So you need to use the compliant/domain joined option then. For the first, you need Intune. The later requires device registration, which in turn relies on AD FS, so I guess it's not what you're looking for.