Require Outlook app to access Exchange Online on managed devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2098919%22%20slang%3D%22en-US%22%3ERequire%20Outlook%20app%20to%20access%20Exchange%20Online%20on%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098919%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20past%2C%20I%20have%20been%20able%20to%20push%20out%20an%20email%20configuration%20profile%20and%20a%20device%20compliance%20policy%20(as%20seen%20below)%20to%20require%20a%20managed%20email%20account%20in%20order%20to%20enforce%20a%20managed%20device%20compliance.%20Along%20with%20this%2C%20we%20have%20then%20been%20able%20to%20have%20a%20conditional%20access%20policy%20that%20locks%20down%20access%20to%20Exchange%20Online%20to%20compliant%20devices%20-%20ensuring%20devices%20must%20be%20enrolled%20in%20Endpoint%20Manager%20to%20access%20company%20email.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22iOS_compliance_policy_email.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248646i2FC17A30AB209F2C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22iOS_compliance_policy_email.jpg%22%20alt%3D%22iOS_compliance_policy_email.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20in%20an%20effort%20to%20move%20users%20to%20the%20much%20improved%20Outlook%20app%20and%20a%20consistent%20use%20of%20modern%20authN%2C%20I%20have%20not%20been%20able%20to%20get%20the%20above%20configuration%20to%20work%20the%20way%20that%20we%20would%20expect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20have%20tried%20for%20iOS%2FiPadOS%20devices%20(to%20replace%20the%20email%20configuration%20profile%20using%20basic%20authN)%2C%20is%20created%20an%20app%20configuration%20policy%20for%20Outlook%20and%20kept%20my%20compliance%20policy%20and%20conditional%20access%20policy%20the%20same%20as%20before%2C%20only%20to%20hit%20a%20wall%20when%20trying%20to%20access%20email%20via%20Outlook%20after%20enrolling%20a%20device%20via%20the%20Company%20Portal%20app%20(see%20below).%20Essentially%2C%20the%20device%20isn't%20compliant%20because%20it%20doesn't%20have%20a%20managed%20email%20profile%2C%20thus%20CA%20blocks%20the%20user%20from%20accessing%20Outlook.%20But%20I%20can't%20have%20a%20compliant%20device%20unless%20unless%20I%20have%20a%20managed%20email%20profile%20on%20the%20device%20(chicken%20before%20the%20egg%20scenario).%20If%20I%20change%20the%26nbsp%3B%3CEM%3EUnable%20to%20set%20up%20email%20on%20the%20device%3C%2FEM%3E%20setting%20in%20the%20compliance%20policy%20to%20Not%20configured%2C%20this%20resolves%20the%20issue%2C%20but%20then%20we%20lose%20that%20compliance%20check.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Outlook_CA_error_edit.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249598iC30563038DAF0F49%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Outlook_CA_error_edit.jpg%22%20alt%3D%22Outlook_CA_error_edit.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20this%2C%20I%20am%20seeing%20that%20an%20app%20configuration%20policy%20is%20not%20the%20equivalent%20of%20an%20email%20configuration%20policy%20from%20a%20%22managed%20email%20profile%22%20perspective.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20am%20looking%20for%20guidance%20to%20see%20if%20the%20type%20of%20configuration%20above%20is%20possible%20if%20we%20start%20to%3A%3C%2FP%3E%3COL%3E%3CLI%3EMake%20the%20Outlook%20app%20the%20primary%20email%20app%20for%20accessing%20company%20email%3C%2FLI%3E%3CLI%3EHave%20a%20device%20compliance%20policy%20where%20we%20%22require%22%20a%20managed%20email%20profile%3C%2FLI%3E%3CLI%3EVia%20Conditional%20access%2C%20only%20allow%20access%20to%20Exchange%20Online%20if%20it%20is%20from%20a%20compliant%20device%20(iOS%2FiPadOS%2FAndroid)%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2098919%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2102167%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Outlook%20app%20to%20access%20Exchange%20Online%20on%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2102167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F88049%22%20target%3D%22_blank%22%3E%40Hector%20Perez%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20the%20email%20setting%20is%20only%20available%20on%20iOS%20devices%2C%20a%20compliancy%20policy%20cannot%20be%20used%20to%20assure%20a%20managed%20email%20profile%20on%20all%20device%20types.%26nbsp%3B%20That%20being%20said%2C%20if%20you%20can%20deploy%20and%20configure%2C%20then%26nbsp%3Brequire%20Outlook%20Mobile%20to%20access%20Exchange%20Online%20via%20a%20Conditional%20Access%20Policy%20that%20requires%20approved%20client%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EReference%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDeploying%20Outlook%20for%20iOS%20and%20Android%20app%20configuration%20settings%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESecuring%20Outlook%20for%20iOS%20and%20Android%20in%20Exchange%20Online%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EApproved%20client%20apps%20with%20Conditional%20Access%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

In the past, I have been able to push out an email configuration profile and a device compliance policy (as seen below) to require a managed email account in order to enforce a managed device compliance. Along with this, we have then been able to have a conditional access policy that locks down access to Exchange Online to compliant devices - ensuring devices must be enrolled in Endpoint Manager to access company email.

 

iOS_compliance_policy_email.jpg

 

However, in an effort to move users to the much improved Outlook app and a consistent use of modern authN, I have not been able to get the above configuration to work the way that we would expect.

 

What I have tried for iOS/iPadOS devices (to replace the email configuration profile using basic authN), is created an app configuration policy for Outlook and kept my compliance policy and conditional access policy the same as before, only to hit a wall when trying to access email via Outlook after enrolling a device via the Company Portal app (see below). Essentially, the device isn't compliant because it doesn't have a managed email profile, thus CA blocks the user from accessing Outlook. But I can't have a compliant device unless unless I have a managed email profile on the device (chicken before the egg scenario). If I change the Unable to set up email on the device setting in the compliance policy to Not configured, this resolves the issue, but then we lose that compliance check.

 

Outlook_CA_error_edit.jpg

 

From this, I am seeing that an app configuration policy is not the equivalent of an email configuration policy from a "managed email profile" perspective.

 

I'm am looking for guidance to see if the type of configuration above is possible if we start to:

  1. Make the Outlook app the primary email app for accessing company email
  2. Have a device compliance policy where we "require" a managed email profile
  3. Via Conditional access, only allow access to Exchange Online if it is from a compliant device (iOS/iPadOS/Android)

Thanks!

1 Reply

@Hector Perez 

 

As the email setting is only available on iOS devices, a compliancy policy cannot be used to assure a managed email profile on all device types.  That being said, if you can deploy and configure, then require Outlook Mobile to access Exchange Online via a Conditional Access Policy that requires approved client apps.

 

Reference

Deploying Outlook for iOS and Android app configuration settings | Microsoft Docs

Securing Outlook for iOS and Android in Exchange Online | Microsoft Docs

Approved client apps with Conditional Access - Azure Active Directory | Microsoft Docs