SOLVED

Block Gmail app to connect to EXO

%3CLINGO-SUB%20id%3D%22lingo-sub-1224365%22%20slang%3D%22en-US%22%3EBlock%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224365%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20implementing%20the%20Outlook%20app%20as%20default%20mail%20app%20on%20iOS%20and%20Android%20devices.%20So%20far%2C%20so%20good.%3C%2FP%3E%3CP%3EBut%20with%20testing%20the%20CA%20policy%20with%20approved%20client%20apps%20and%20approved%20app%20protection%20policy%20on%2C%20we%20see%20that%20the%20Gmail%20app%20is%20able%20to%20connect%20to%20EXO.%20The%20Gmail%20is%20not%20an%20approved%20app%2C%20according%20to%20Microsoft%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-approved-client-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-approved-client-app%3C%2FA%3E)%2C%20but%20is%20still%20able%20to%20connect.%20I%20know%20that%20the%20Gmail%20app%20is%20using%20Modern%20Auth%20these%20days.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20how%20we%20can%20block%20the%20Gmail%20app%20from%20connecting%20to%20EXO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1224365%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224381%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20are%20you%20following%20this%20process%20which%20is%20meant%20to%20do%20the%20job%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23block-all-email-apps-except-outlook-for-ios-and-android-using-conditional-access%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EBlock%20all%20email%20apps%20except%20Outlook%20for%20iOS%20and%20Android%20using%20conditional%20access%3C%2FA%3E%2C%20is%20there%20any%20difference%20with%20how%20you%20have%20it%20set%20up%20currently%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224407%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224407%22%20slang%3D%22en-US%22%3EI%20think%20Gmail%20is%20still%20using%20IMAP%20to%20connect%20to%20O365.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224446%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224446%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20followed%20exactly%20all%20the%203%20steps%20in%20that%20doc.%20And%20it%20is%20still%20not%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224459%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224459%22%20slang%3D%22en-US%22%3E%3CP%3EOk%C3%A9%20guys.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20support%2C%20but%20it%20is%20resolved.%3C%2FP%3E%3CP%3EGmail%20is%20indeed%20using%20the%20old%20legacy%20IMAP%20protocol%20to%20connect%20to%20EXO.%3C%2FP%3E%3CP%3EBut%20it%20took%20some%20time%20that%20the%20CA%20was%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20this%20one%20is%20solved%20and%20closed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1226698%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1226698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46649%22%20target%3D%22_blank%22%3E%40Jeroen%20Burgerhout%3C%2FA%3E%26nbsp%3B%20Hi.%20How%20did%20you%20resolve%20it%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1226900%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20Gmail%20app%20to%20connect%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1226900%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F581100%22%20target%3D%22_blank%22%3E%40Virre%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20you%20have%20to%20follow%20steps%201%20and%202%20from%20this%20link%20-%26gt%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%2C%20follow%20this%20doc%20-%26gt%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%26nbsp%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%3C%2FA%3E%26nbsp%3Band%20then%20use%20a%20test%20user%20to%20test%20this%20CA%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20it%20could%20be%20that%20you%20have%20to%20wait%20for%20a%20couple%20of%20hours%2C%20until%20the%20policies%20are%20working.%20I%20had%20it%20in%20my%20case.%20Test%20it%20also%20on%20iOS%20and%20Android%20devices%20with%20their%20native%20mail%20apps%20and%20the%20Gmail%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20questions%2C%20let%20me%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

 

We are implementing the Outlook app as default mail app on iOS and Android devices. So far, so good.

But with testing the CA policy with approved client apps and approved app protection policy on, we see that the Gmail app is able to connect to EXO. The Gmail is not an approved app, according to Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...), but is still able to connect. I know that the Gmail app is using Modern Auth these days. 

 

Any ideas how we can block the Gmail app from connecting to EXO?

7 Replies

Hi, are you following this process which is meant to do the job - Block all email apps except Outlook for iOS and Android using conditional access, is there any difference with how you have it set up currently?

I think Gmail is still using IMAP to connect to O365.

Hi @Cian Allner ,

 

I followed exactly all the 3 steps in that doc. And it is still not working.

best response confirmed by Jeroen Burgerhout (Contributor)
Solution

Oké guys.

 

Thanks for your support, but it is resolved.

Gmail is indeed using the old legacy IMAP protocol to connect to EXO.

But it took some time that the CA was working.

 

So this one is solved and closed.

@Jeroen Burgerhout  Hi. How did you resolve it ?

Hi @Virre ,

 

First you have to follow steps 1 and 2 from this link -> https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-cond...

 

Second, follow this doc -> https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authenticat... and then use a test user to test this CA policies.

 

But it could be that you have to wait for a couple of hours, until the policies are working. I had it in my case. Test it also on iOS and Android devices with their native mail apps and the Gmail app.

 

If you have any questions, let me know.

@Jeroen Burgerhout 

dear all i m sorry to tell you that but you are all wrong about the Gmail mobile app 

it is not using legacy it is using the browser as authentication 

kazaki82_1-1627477013362.png

and some times using modern authentication 

kazaki82_2-1627477055421.png

so the only way is to go to enterprise applications and block it 

kazaki82_3-1627477105829.png