Forcing Outlook with Conditional Access

In this post I am going to show you how to create 2 x Conditional access policies which will force your end users on iOS/Android devices to have to use Outlook Mobile (This will apply to both managed and unmanaged devices). A common scenario for wanting to do this is when you are using app protection to protect unmanaged personal devices. App Protection relies on apps to be integrated with the Intune SDK, if not then app protection wont apply. By leveraging Conditional Access we can ensure that users can only access their email from an approved client app (Outlook) and therefore can ensure they will be protected by an app protection policy.

App Based Conditional Access (Require Approved Client App) requires iOS/Android devices to register in azure ad. Android devices will be prompted to download the company portal and iOS devices will be prompted to download Microsoft Authenticator. More information on app based conditional access is available at: https://docs.microsoft.com/en-us/intune/app-based-conditional-access-intune

Creating the CA Policy for Exchange Online

The first step is to navigate to the Azure Portal and go to the conditional access blade and create a New Policy.

image

  • Name the Policy Appropriately e.g EXO Outlook
  • Assign the Policy to a User Group of your choice (Start with a Pilot Group)

image

  • Under Cloud Apps select “Office 365 Exchange Online”

image

  • Select Conditions
  • Select Device Platforms
  • Configure Yes > Select iOS & Android

image 

  • Select Conditions
  • Select Client Apps (Preview)
  • Configure Yes > Leave defaults and untick “Exchange Active Sync” and “Other Clients”

    NOTE: We will create a separate policy for active sync because other conditions are not supported when selecting active sync.

image

image

  • Select Grant
  • Tick Require Approved Client App
  • Enable the Policy

image

To Summarise we have now created a CA policy which will force anyone trying to connect to Exchange online from a browser, modern authentication client or “Other Clients” to have to use outlook. The next steps are to create another policy for Exchange active sync.

Creating a Policy for Active Sync Clients

  • Create another Policy
  • Name the Policy Appropriately
  • Assign the Policy to a group of your choice (Start with a Pilot Group)

image

  • Under Cloud Apps Select “Office 365 Exchange Online”

image

  • Select Conditions
  • Select Client Apps (Preview)
  • Configure Yes > Select “Exchange Active Sync” and “Other Clients”
  • You can optionally choose to “Only Apply to Supported Platforms”

image

  • Select Grant
  • Tick Require Approved Client App
  • Enable the Policy

image

To summarise this policy will force anyone who is using an active sync client or basic auth client (i.e. IMAP) to have to use Outlook to access email.

At this point with two policies we are now forcing all access to exchange online to go via Outlook mobile. Obviously at this stage you also would want to ensure you are deploying app protection policies to your users and including outlook in the policy so you can be protect/manage the corporate data on both unmanaged and Managed Mobile Devices.

Special mention to @Jankeskanke who found a slight issue in an earlier revision of my post which related to “Other Clients” being able to access email still. After further troubleshooting I found that in order for “Other Clients” to be blocked they need to be included in the policy with No platforms configured, in this case the EAS Policy because CA is unable to determine the platform of the device when using IMAP or other forms of basic Authentication. The Post above has been updated to reflect all of this.



Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME