Jan 03 2019 07:54 AM
I have a policy set up to only allow compliant mobile devices to access Exchange Active Sync. When reviewing access logs I show Not Applied under the logs, and device info is blank for compliance. It also shows Mobile Safari for the browser info. Is the what I should expect in the logs? User is accessing mail in the default iOS mail app on the device.
My policy is set to cover all users
Cloud apps: Exchange Online
Conditions:
Access Controls:
Jan 03 2019 10:10 AM - edited Jan 04 2019 07:50 AM
Are you sure you are using modern authentication? Generally I think AS does not use modern authentication.
Jan 04 2019 07:09 AM
EAS does support modern authentication, just limited when it comes to Conditional Access. You're definitely asking the right question though. It appears as though legacy authentication could be in use, which is why the conditional access policy isn't applied. Mail for iOS 11.3.1 or later supports modern authentication, so I would suggest @Robert Woods confirm the iOS version of the device to ensure it will comply.
Jan 04 2019 07:18 AM
Jan 04 2019 07:51 AM
Jan 04 2019 08:24 AM
Perfect, thanks. So we know that modern authentication is enabled at the organization level and the user has an email client that supports it. Next, I would verify that the Exchange on-premise connector is setup and functioning as intended. One more thing to consider is that Microsoft advises to create two separate conditional access policies to protect both Modern Authentication clients and Exchange ActiveSync clients. So, this might be worth a try as well.
Jan 06 2019 06:25 PM
All of our Mailboxes are hosted in the cloud. Our on premises server is used for management purposes only. We do not use the connector. Does this matter?
Jan 07 2019 05:18 AM
No, in that case you can disregard my comment about the on-premise connector, it's not required when using Exchange Online.
Jan 07 2019 11:35 AM
I think I may have come across root cause on this. From what I am reading even after iOS default mail app was updated to work with OAuth it did not work with modern auth if the profile was pushed to the device by intune. They have supposedly corrected this issue. I do see a new checkbox in the intune device configuration that we push that enables OAuth. I will create a test policy with that checkbox enabled and apply it to our test user group to see if this resolves the issue.
Jan 07 2019 12:32 PM
Good catch! Let us know if this resolves the problem.
Jan 07 2019 12:36 PM
Just finished testing and it absolutely did. End users have to go into the passwords section on thier phones settings and re-enter the password, which then prompts them to allow iOS Accounts to access office 365 with certain permissions, and after acceptance the logging shows our policies now being applied.