cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict email access to Exchange Online

Peter Klapwijk
MVP

‎Dec 15 2016 03:15 AM

‎Dec 15 2016 03:15 AM

Restrict email access to Exchange Online

Hi all,

 

I have a situation of a customer without an on-prem Active Directory, only using some cloud apps, like Office 365.
They want to block access to (in first place) e-mail on non managed devices. I know I can use Conditional Access policies to set this up for mobile devices (the new Intune MAM) policies, but how can I block access to Exchange Online by using Outlook on non-managed devices? I`ve been reading articles about this, but that always ends up using ADFS and that is not possible for this customer.

 

The customer is running Windows 7 and 10, but t is ok if this solution is only going to work with Win10 (Azure AD joined/ Intune enrolled), than we upgrade al devices.


Is there anybody to advice me how to set this up, or point me in the right direction?

 

Thank you!

Regards,

 

Peter

14.3K Views
0 Likes
9 Replies
Reply
9 Replies
Jasjit Chopra

‎Dec 15 2016 07:17 AM

‎Dec 15 2016 07:17 AM

Re: Restrict email access to Exchange Online

Hi Peter,

 

Have you tried this setting within Intune?

Capture.JPG

 If you do not want to cover all platforms with generic policy you can also select specific platforms like below:Capture.JPG

 You also get a way to block OWA and ActiveSyn clients:Capture.JPG

 

 

 

This will cover non-domain joined windows 7 also.

 

Let me know if this helps.

 

Regards,

Jasjit

1 Like
Reply
Peter Klapwijk

‎Dec 16 2016 01:30 AM

‎Dec 16 2016 01:30 AM

Re: Restrict email access to Exchange Online

Hi Jasjit,

 

Thanks for the reply.
Yes tried that policy before, blocks OWA access and the use of the buildin mail app on Windows 10, but it still gives me access to Exchange Online by using Outlook 2016.
Also tried Conditional Access from the new Azure portal under Aure AD (in preview), same situation; blocking OWA and the buildin app, but still allows access via Outlook.

0 Likes
Reply
Peter Klapwijk

‎Dec 16 2016 02:31 AM - edited ‎Dec 16 2016 03:01 AM

‎Dec 16 2016 02:31 AM - edited ‎Dec 16 2016 03:01 AM

Re: Restrict email access to Exchange Online

I have enabled modern authentication for Exchange Online.
It now shows me a message access is blocked when I try to connect using Outlook, but is does that on domain joined Win10 devices as well.
I`m using Conditional Access from the new Azure Portal (https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-...).

0 Likes
Reply
Jasjit Chopra

‎Dec 16 2016 04:23 AM

‎Dec 16 2016 04:23 AM

Re: Restrict email access to Exchange Online

Hi @Peter Klapwijk,

 

Let me try that in my lab setup - that kinda sounds strange and I would think MS would have thought of this scenario you are trying to achieve - which is a common ask from other customers too I presume.

 

I will get back to you and let you know.

 

Regards,

Jasjit

0 Likes
Reply
Peter Klapwijk

‎Dec 16 2016 07:03 AM

‎Dec 16 2016 07:03 AM

Re: Restrict email access to Exchange Online

Hi @Jasjit Chopra Yes it sounds very strange. Was happy Outlook was blocked at an Win10 device which is not domain joined. But than I cleared all the credentials on the domain joined machine and  setup Outlook again and it is now blocked as well.

 

Thank you for your time testing this setup!

 

regards,

 

Peter

0 Likes
Reply
Jasjit Chopra

‎Dec 16 2016 09:38 AM

‎Dec 16 2016 09:38 AM

Re: Restrict email access to Exchange Online

Ideally you should not test it on the same machine by clearing creds - but nonethelless will test and let you know.

0 Likes
Reply
Chris Eckel

‎Jan 23 2017 07:31 AM

‎Jan 23 2017 07:31 AM

Re: Restrict email access to Exchange Online

Hey Peter,

 

We are trying to accomplish the same thing but from what we found you need ADFS.  The problem with Conditional Access is it blocks clients that use Modern Auth.  If the client tries using basic auth (Outlook 2010 and older only use basic and Outlook 2013 / 2016 can use modern or basic) it will get through.  We are working on blocking basic auth w/ADFS externally to shore up this loop hole.

0 Likes
Reply
Peter Klapwijk

‎Jan 24 2017 05:19 AM

‎Jan 24 2017 05:19 AM

Re: Restrict email access to Exchange Online

Hi @Chris Eckel

 

This is an cloud only customer. So part of my solution for this was blocking basic auth for Exchange Online. In this situaton that was no problem, customer is running only Outlook 2013/ 2016. Till now it is not yet implemented to the customer his tenant, was just running this in a lab.


But in your situation, with an On-prem AD, if you don`t want to use ADFS, have a look at the New Azure Portal. Below Azure Active Directory you find Conditional Access. You can create an policy to just allow Exchange Online access to Domain Joined devices, filter it on Windows devices and you can setup another solution for your mobile devices.

 

0 Likes
Reply
Clifford Kennedy

‎Feb 03 2017 04:36 AM

‎Feb 03 2017 04:36 AM

Re: Restrict email access to Exchange Online

The CA policies get you most of the way there - but I beleive you still need to set the ADFS claims rule to block the down-level clients.  We found you still need basic to ensure mobile clients using EAS can connect and retireve content.  Of course, if you are using Outloof for iOS/Android only, which no longer relies on the EAS channel, you could implement MAM+CA in this case.

0 Likes
Reply