A strange behaior of Conditional Access for Exchange On-premises

New Contributor

 Hi all,

I would like to confirm a behavior of Intune Conditional Access for Exchange On-premises. My company has Exchange 2013 + Intune Connector setup, and enabled Conditional Access for Exchange On-premises. Global setting is block access. Everything is working fine except the following case. I am not sure this is a bug or by design. Please help me take a look.

 

Test case:

User A’s device is enrolled with Intune.

User A is using iOS's native Mail app to access his own mailbox.

Now, in the Mail app, he can add another user's account (user B) of the same company, and access the email.

In result, he only enrolled one device with his own account (user A), but can access both user A and user B's mailboxes on the same device.

 

We want to restrict this behavior. On the enrolled device, we want only the device owner to access his own mailbox, not his colleague's mailbox. Is this something doable?

 

 

 

3 Replies

I congratulate your bravery in using the On-Premise Exchange Conditional Access connector!

 

Try switching to the Outlook app and applying a MAM policy. That should stop users adding more than one account to the same device.

Hi Andrew,

 

We have tested. Even with Outlook for iOS with Intune enrolled device, we can still add the second email account and access the mailbox.

Is user B licensed for Microsoft Intune? If not, try to license user B and see if the behavior changes.
You may also have to license user B with Azure AD Premium P1 or greater in order for this to work, though I've never actually been able to confirm this.

 

Also, check that your scope includes user B.