SOLVED

Guidance with Outlook App Configuration Policies and Conf.Keys for Android

%3CLINGO-SUB%20id%3D%22lingo-sub-1518782%22%20slang%3D%22en-US%22%3EGuidance%20with%20Outlook%20App%20Configuration%20Policies%20and%20Conf.Keys%20for%20Android%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518782%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20off%2C%20I'm%20referring%20to%20the%20Configuration%20Key%20com.microsoft.intune.mam.AllowedAccountUPNs%2C%20documented%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%23organization-allowed-accounts-mode-settings-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%23organization-allowed-accounts-mode-settings-1%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20Android%2C%20there%20is%20one%20Configuration%20Key%20listed%2C%20this%20one.%26nbsp%3B%20The%20page%20doesn't%20tell%20us%20the%20value%20type%2C%20though%20by%20its%20name%2C%20it%20seems%20like%20it%20should%20be%20an%20array%20of%20strings.%26nbsp%3B%20When%20it%20comes%20down%20to%20using%20it%2C%20we%20have%20to%20set%20it%20to%20String%20for%20the%20type%2C%20and%20then%20I'm%20having%20hit%20and%20miss%20results%20with%20the%20initial%20account%20setup.%26nbsp%3B%20Sometimes%2C%20it's%20letting%20me%20setup%20just%20the%20UPN%20of%20the%20current%20user%2C%20and%20then%20later%20I%20can%20add%20additional%20accounts%20that%20are%20also%20listed%20in%20the%20array.%26nbsp%3B%20This%20is%20what%20I%20would%20say%20is%20the%20good%20alternative%20to%20the%20On%2FOff%20switch%20for%20Organizational%20Accounts%20Only%20Mode.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20sometimes%2C%20new%20Outlook%20setups%20will%20show%20all%20the%20UPNs%20in%20the%20array%2C%20as%20if%20it%20is%20one%20string%2C%20which%20obviously%20doesn't%20work%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20hoping%20somebody%20can%20help%20me%20here%20with%20how%20this%20key%20is%20supposed%20to%20work%2C%20or%20not.%26nbsp%3B%20Anyone%20have%20much%20experience%20with%20this%20that%20can%20shed%20any%20light%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1518782%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApp%20Configuration%20Policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

First off, I'm referring to the Configuration Key com.microsoft.intune.mam.AllowedAccountUPNs, documented here https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

For Android, there is one Configuration Key listed, this one.  The page doesn't tell us the value type, though by its name, it seems like it should be an array of strings.  When it comes down to using it, we have to set it to String for the type, and then I'm having hit and miss results with the initial account setup.  Sometimes, it's letting me setup just the UPN of the current user, and then later I can add additional accounts that are also listed in the array.  This is what I would say is the good alternative to the On/Off switch for Organizational Accounts Only Mode.

 

However, sometimes, new Outlook setups will show all the UPNs in the array, as if it is one string, which obviously doesn't work at all.

 

I am hoping somebody can help me here with how this key is supposed to work, or not.  Anyone have much experience with this that can shed any light?

 

Thanks in advance.

1 Reply
Best Response confirmed by Jeremy Bradshaw (Frequent Contributor)
Solution

FYI in case anyone else gets in their own way like I do/did...

 

The answer is that we still use "valueString" as the type, but then we separate UPNs in our list using semicolon instead of comma.  I found this info here:

 

https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android#allow-only-c...

 

Specifically:

Allow only configured organization accounts in multi-identity apps

As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

Key: com.microsoft.intune.mam.AllowedAccountUPNs

Values:

  • One or more ; delimited UPNs.
  • Only account(s) allowed are the managed user account(s) defined by this key.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

"Only account(s) allowed are the managed user account(s) defined by this key." is oddly-written but oh well.