Restrict third-party mail app access in iOS to Exchange Online

Copper Contributor

Hello all,

 

I am trialling Intune, with a view to it being used at the company I work for. One of the features we are particularly keen on is conditional access - we want the ability to limit Office 365 email access only to devices that we have enrolled in Intune.

 

I've setup the conditional access as per the attached images and we are still having an issue. While access from the native mail app and from the browser are both blocked (from a test iPhone), one third-party app in particular, Edison Mail, can still be setup with our dummy 365 account.

 

Testing with the below mail apps on iOS, they all were unable to use the dummy 365 account, but I notice that they all directed you during the account setup to the login webpage that you are also presented with when you setup email on the native iOS mail app. Edison Mail simply asks for your O365 email address and password from within the UI of the app itself, not a Microsoft 'in browser' loin page. 

 

  • Astro
  • Spark
  • MyMail

 

My understanding is that in selecting the "Require approved client app", this would limit access only to the apps listed here.

 

Can you offer any guidance on why this one particular app is not getting rejected access to Exchange Online, like the other apps?

 

Many thanks in advance!

 

Adam

2 Replies

Adam,

Edison does not use Modern Authentication, I verified this by downloading it and attempting to sign in with my MFA-enabled account. It told me I had to sign in with my MFA "App Password."

The confirms that Edison is using what is known as "Legacy Authentication."

Based on what I saw you configure in your Conditional Access Rules, you are missing a block rule to specifically block legacy authentication for Exchange Online. This should then block the Edison app.

Give it a try, isolate it to a single test account, and let us know how it works.

Hope this helps.

Joe

 

Hello Joe,

 

Thanks for your assistance, I believe with your help I've resolved the issue.

 

I created a new conditional access policy, with a condition to apply the policy to "Exchange ActiveSync Clients" or "Other clients" - this one is set to block access, rather than grant. From your findings with Edison that it doesn't MFA, I assume that it therefore falls under the "Other clients".

 

What I still don't understand is why a device we tested with that wasn't enrolled in Intune was still able to use Edison. I assumed that the first policy I created to grant access, with the requirement that a device was compliant in Intune, would, mean that other devices that tried to connect which weren't compliant would get blocked. 

 

Anyway - we are glad that it is setup now with the desired behaviour! Many thanks again!

 

Adam