Removing access control from Basic Mobility and Security for Microsoft 365

J.C. Hornbeck

Microsoft

Oct 30, 2018

First published on TechNet on Oct 05, 2016

Updated: 8/20/21 - Post refresh.

By Joel Stevens - Microsoft Support Escalation Engineer | Microsoft Endpoint Manager - Intune

When setting up mobile device management (MDM) for your Microsoft 365 organization, you activate Basic Mobility and Security to manage access control, and create and apply a device security policy to groups of users. When targeted users sign in to Microsoft 365 from their mobile devices, they will be prompted to enroll their devices in Basic Mobility and Security using the Intune Company Portal. Their access to email, OneDrive, and other services is restricted until they complete enrollment. An example notification is below:

You can find more information on the enrollment process for mobile device in Office 365 here

After implementing Basic Mobility and Security in your environment, you might decide to stop enforcing access control. There are different strategies to consider to minimize the impact to your end-users.

Note: It is not currently possible to “turn off” Basic Mobility and Security. If you are switching to a third-party MDM provider, then you can follow the steps in this article to remove access control and there should not be any further impact. There is no need to contact Microsoft Support unless you plan to use System Center Configuration Manager to manage your mobile devices via Microsoft Intune.

Temporarily unblock a device

If you want to temporarily unblock a noncompliant or unsupported device, you can manually override the quarantine rules.

Note: This action is only available in the Classic Exchange admin center.

Sign in to the Classic Exchange admin center at https://outlook.office365.com/ecp.
Select Mobile.
Under the heading Quarantined Devices, select the affected device and then select Allow.

Note: If Intune access control is still enforced, the device will be quarantined again in about four hours.

Stop enforcing access control for a specific group

If you want to permanently exempt some or all users from access control, remove the applicable security group(s) from your device security policy. This immediately unblocks their access restrictions.

Sign in to the Office 365 Security and Compliance Center at: https://protection.office.com/devicev2.

Office 365 Security & Compliance - Device security policies.
Select Manage organization-wide device access settings.
Under the heading "Are there any security groups you want to exclude from access control?", select the + Add button and add the desired users based on security groups.

Organization-wide device access settings.

Stop enforcing access control across your organization

If you prefer to stop Intune enrollment requests for your entire organization, then you should delete all device security policies. Alternatively, you can edit the policy’s deployment settings to remove access control for specific security groups.

Note: Due to the way devices are granted access to email and other Microsoft 365 resources, it can take up to eight hours before access is restored after deleting the security policy. See the second option above for steps to lift the quarantine sooner.

Navigate to the Office 365 Security and Compliance Center at: https://protection.office.com/devicev2.
Select the policy, and then select either Edit policy or Delete policy.

Office 365 Security and Compliance Center policy settings.
If you chose to edit the policy, select the Deployment tab and then remove any security groups that you no longer want the policy applied to.

Office 365 Security and Compliance Center - Deployment policy settings.