Intune-Managed Devices Can Suddenly Connect to O365 Mail Outside Of Container. What Changed?

Not applicable

We're an E5/EMS org and use Intune Hybrid to manage our mobile devices.  MDM Authority is SCCM.

A long time ago we disabled ActiveSync and forced users to go with the containerized Outlook Client we pushed to them.


This AM I was notified by our Infosec dept that he was able to add his O365 company email acct to his GMail and send/receive.  I confirmed that this is true by adding my acct as a 2ndary acct to my Android phone.  


Until today this was not possible.  Has something changed?  There was a notification in my Tenant Messages that my Intune Service had been upgraded to the latest server build, but nothing in the 'what's new' sites mentioned anything about this.


If anyone can replicate or let me know what may have changed I'd appreciated.  Also contacting PSS.





1 Reply
best response confirmed by Deleted

Just to follow up, I worked with the Intune Team on this, and the answer was that we had not disabled POP3/IMAP for every mailbox, and thus anyone could use it to connect their device to their mailbox. 


This may be a huge oversight on my part, but IDK.  We long ago disabled ActiveX, but nowhere did I ever see that POP3/IMAP were also vulnerable holes.  


The product team was pretty sheepish about this huge security gap in the product, saying that it's 'umm.... not very well-documented.'  I took that to mean that it's a known weakness in the product that they don't advertise.  


Anyway, there are remediation steps for existing mailboxes via 'set-casmailbox -popenabled $false -imapenabled $false'  Easy enough to do for all of your MBX's.


For NEW users/mailboxes, you have to either do it as part of your provisioning, or modify the setting in the 'casmailboxplan'.  

I found info here: