cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Guidance with Outlook App Configuration Policies and Conf.Keys for Android

Jeremy Bradshaw
Steel Contributor

‎Jul 13 2020 07:05 AM

‎Jul 13 2020 07:05 AM

Guidance with Outlook App Configuration Policies and Conf.Keys for Android

First off, I'm referring to the Configuration Key com.microsoft.intune.mam.AllowedAccountUPNs, documented here https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

For Android, there is one Configuration Key listed, this one.  The page doesn't tell us the value type, though by its name, it seems like it should be an array of strings.  When it comes down to using it, we have to set it to String for the type, and then I'm having hit and miss results with the initial account setup.  Sometimes, it's letting me setup just the UPN of the current user, and then later I can add additional accounts that are also listed in the array.  This is what I would say is the good alternative to the On/Off switch for Organizational Accounts Only Mode.

 

However, sometimes, new Outlook setups will show all the UPNs in the array, as if it is one string, which obviously doesn't work at all.

 

I am hoping somebody can help me here with how this key is supposed to work, or not.  Anyone have much experience with this that can shed any light?

 

Thanks in advance.

6,142 Views
0 Likes
8 Replies
Reply
8 Replies
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Jul 13 2020 07:58 AM

‎Jul 13 2020 07:58 AM

Solution

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

FYI in case anyone else gets in their own way like I do/did...

 

The answer is that we still use "valueString" as the type, but then we separate UPNs in our list using semicolon instead of comma.  I found this info here:

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android#allow-only-c...

 

Specifically:

Allow only configured organization accounts in multi-identity apps

As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

Key: com.microsoft.intune.mam.AllowedAccountUPNs

Values:

  • One or more ; delimited UPNs.
  • Only account(s) allowed are the managed user account(s) defined by this key.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

"Only account(s) allowed are the managed user account(s) defined by this key." is oddly-written but oh well.

0 Likes
Reply
JohannesW60

‎Mar 17 2021 12:50 AM

‎Mar 17 2021 12:50 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

@Jeremy Bradshaw 

 

Hi Jeremy,

 

i've tried to enter the value for the key com.microsoft.intune.mam.AllowedAccountUPNs as described: {{userprincipalname}} , but i get the following error message:

key_error.JPG

 

The other keys / values:

outlook_config.JPG

 

Do you have any idea about this?

 

 

Regards,

Hannes

0 Likes
Reply
Jeremy Bradshaw

‎Mar 17 2021 06:47 AM

‎Mar 17 2021 06:47 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

Based in the error, it seems like it's saying you shouldn't be using the key at all. In the Configuration Designer, do you see work accounts only mode being turned on? I haven't seen the error you shared but I'm wondering if you have to use another key to make sure he feature is in, before you can supply the allowed UPNs list

FYI, I've been relying on full access permissions and the "add shared or delegated mailboxes" feature. So I just leave the default value for that key when I turn in on work accounts only mode.
0 Likes
Reply
JohannesW60

‎Mar 18 2021 05:14 AM

‎Mar 18 2021 05:14 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

@Jeremy Bradshaw 

 

In the Configuration Designer, do you see work accounts only mode being turned on?

 

Can you tell me where i can find the Configuration Designer?

Is it the "App configuration policies"?

I have only created an app protection policy and an app configuration policy for Outlook app

0 Likes
Reply
Jeremy Bradshaw

‎Mar 18 2021 09:01 AM

‎Mar 18 2021 09:01 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

@JohannesW60 In the Properties on your App Configuration Policy for Outlook, that is where I meant. When you edit the Settings, you can choose to use Configuration Designer to see the more GUI-friendly options:

Screenshot 2021-03-18 125524.png

 

If you change yours to "Use Configuration Designer", do you see "Allow only work or school accounts" setting set to "Enabled"?

Note, when you use Configuration Designer and enable work accounts only mode, it then exposes the JSON key/value pair anyway for the allowed UPNs setting:

Untitled.png

So you can then just edit that one key from there, vs using the JSON editor for all settings.  You might already be doing this, I just put the screenshots to clarify what is was after.  Hopefully this does help.

0 Likes
Reply
JohannesW60

‎Mar 19 2021 12:09 AM

‎Mar 19 2021 12:09 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

@Jeremy Bradshaw 

that's funny, i don't have those settings avaiable here:

outlook_config.JPG

 

Maybe i don't have enough permissions to see this options?

0 Likes
Reply
AOEH

‎Jul 19 2021 05:52 AM

‎Jul 19 2021 05:52 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

@JohannesW60 

Maybe a bit late but I'm getting this error when I try to create a configuration for a "managed app" instead of "managed devices". This is required to serve our Android device administrator enrollments in China. I tried this key value pair to pre-set {{userprincipalname}} as username in the app.

0 Likes
Reply
SSK007

‎Dec 09 2021 07:27 AM

‎Dec 09 2021 07:27 AM

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

Is it possible to add multiple emails in the field for "Allowed accounts only" in Outlook app configuration. We tried all possible delimiters yet it did not work.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Jul 13 2020 07:58 AM

‎Jul 13 2020 07:58 AM

Solution

Re: Guidance with Outlook App Configuration Policies and Conf.Keys for Android

FYI in case anyone else gets in their own way like I do/did...

 

The answer is that we still use "valueString" as the type, but then we separate UPNs in our list using semicolon instead of comma.  I found this info here:

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android#allow-only-c...

 

Specifically:

Allow only configured organization accounts in multi-identity apps

As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

Key: com.microsoft.intune.mam.AllowedAccountUPNs

Values:

  • One or more ; delimited UPNs.
  • Only account(s) allowed are the managed user account(s) defined by this key.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

"Only account(s) allowed are the managed user account(s) defined by this key." is oddly-written but oh well.

View solution in original post

0 Likes
Reply