Update 10/29/2015: There is an updated version of this article that contains the new and improved quarantine experience with conditional access for on-premises Exchange which can be found here:
Microsoft Intune allows organizations to conditionally block access to corporate resources on devices that are not protected by Intune. Intune now supports conditional access for on-premises Microsoft Exchange Server. In this blog post, we will focus on how to set up conditional access policies using Intune and walk through the end user experience once they have been blocked from email. Requirements for conditional access can be found in our TechNet documentation about enabling access to company resources.
Intune Admin Experience
Step 1: Install and set up the latest Microsoft Intune On-Premises Exchange Connector
The Exchange Connector is required to enforce conditional access to your Exchange resources. Instructions to set up the Exchange Connector can be found here.
Note: It is important that you have the latest version of the Exchange Connector installed. Download and installation instructions for the Exchange Connector can be found in the TechNet article linked to above.
Step 2: Identify users who will be impacted by conditional access policy
The next step is to identify users who will be impacted by the conditional access policy that you plan to deploy so that you can notify them in advance. Here is how you can identify such users:
Once the Exchange Connector is successfully configured, it will begin to inventory those devices which are not yet enrolled to Microsoft Intune, but are connecting to your organization’s Exchange resources using Exchange Active Sync. To begin the mobile device inventory report, navigate to Reports -> Mobile Device Inventory Reports.
From here, you can select the device groups for which you plan to roll out the conditional access policy, as well as filter by OS status. Once you’ve decided on the criteria that meets your organization’s needs, select View Report.
Once the report is generated by Microsoft Intune, the Report Viewer will open in a new window. From here, you will need to examine the following 4 columns to determine whether or not a user will be blocked. More information about what each of these columns mean is provided below:
- Management Channel
- AAD Registered
- Exchange ActiveSync ID
Devices that are part of a Target group (more information about Target group in step 3 below) are blocked from accessing Exchange unless the corresponding columns have the following values:
Can device access Exchange?
Exchange ActiveSync ID
Managed by Microsoft Intune and Exchange Active Sync
Has a value
Doesn’t have a value
To re-iterate, once you enable conditional access, devices in a Target group for which the columns have the above values are allowed to access Exchange. All other devices in that Target group will be blocked from accessing Exchange.
You may wish to reach out to the users of those devices before enforcing conditional access. To easily retrieve each user’s email address, you can export this report to Microsoft Excel via the Export link and filter the list to only those rows with the column values as described above. You can then retrieve the email addresses from the Email Address column.
Tip: Microsoft Office has a neat feature called “Mail Merge” which lets you easily send e-mails to users by importing names, addresses, and other information directly from your Excel spreadsheet into your email message. Check out this article on how to do this.
Below is more information about what each of these 4 columns mean.
The value in this column determines whether a device is managed by Microsoft Intune:
- Managed by Exchange ActiveSync means a device is accessing Exchange, but is not yet enrolled into Microsoft Intune
- Managed by Microsoft Intune means a device is enrolled into Microsoft Intune, but not yet accessing Exchange
- Managed by Microsoft Intune and Exchange ActiveSync means a device is both enrolled into Microsoft Intune and could potentially access Exchange if the other two criteria (AAD Registered and Compliant status) are met.
Every device that is part of a Target group and needs to access Exchange through an EAS client is required be registered with Azure Active Directory (AAD) in addition to being enrolled with Intune. This process is called “Work Place Join” and it is performed behind the scenes when the user clicks on the “Enroll” link in his quarantine email (more information about this is provided in the “End User Experience” section below)
This column specifies whether or not the device is compliant with the policies you have set in the Intune admin console. For devices in a Target group, you can set compliance policies in the Intune admin console that require those devices to meet certain criteria before being able to access Exchange. Examples of policies are “require strong password”, “require encryption” etc.
If a device in a Target group has the Compliant value as “No” then it is blocked from accessing Exchange through any EAS client.
EAS ActiveSync ID
Newly added as part of the Intune service update in April 2015, an iOS/ Android device that is part of a Target group and needs to access Exchange through an Exchange ActiveSync client is required to have its Exchange ActiveSync ID associated with its corresponding “Work Place Join” record in Azure Active Directory (AAD). This is performed when the user clicks on the “Activate Email” link in the quarantine email on his device.
If an iOS/ Android device in a Target group does not have a value in the Exchange Active sync ID column, then it is blocked from accessing Exchange through any EAS client.
Note: This field can be empty only for an iOS/ Android device. Windows Phone devices will always have Exchange ActiveSync IDs displayed in this column.
Step 3: Enforce Conditional Access
Enforcement of conditional access is accomplished in five steps.
1. Define the Microsoft Intune user groups to which the conditional access policy is targeted to.
These groups are called “Target groups”. Only these user groups will receive the conditional access policy and be required to enroll their devices to Microsoft Intune to gain access to Exchange.
2. Define the Microsoft Intune user groups that should be exempt from the conditional access policy.
These groups are called “Excluded groups”. These user groups will not be required to enroll their devices to Microsoft Intune to gain access to Exchange. If you want a subset of users in the target groups defined above to always be allowed access to Exchange even if they’re not managed by Intune (e.g. executive level persons in your company), you can create another user group for those users and add that group to the exempted group list.
3. [Optional] Define advanced Exchange ActiveSync settings
These settings are global Exchange settings that allow you to allow, block, or quarantine devices based on platform, as well as set a global Exchange default rule. Advanced Exchange ActiveSync settings can be used in conjunction with conditional access settings. Examples of this configuration can be found in the “Configuration Examples” section below.
4. Set the notification users receive once their device is blocked due to conditional access policy.
When a user’s device is blocked due to conditional access policy, they will need to follow a series of steps to enroll their device and unblock access to email on that device. Intune will send an email containing enrollment instructions to the user’s mailbox before the device is blocked.
This email is preconfigured in Microsoft Intune and can be altered to suit your company’s needs. The “End User Experience” section below has more information about this workflow. This email message can be configured in the User Notification section in the Intune admin console as shown below.
Note: In addition to the email sent by Intune, Exchange will also always send a notification to the user's mailbox once the device is blocked. See the “End user experience” section for the format of this email message.
Note: Because these email messages are sent to the user’s mailbox (as opposed to a specific device) they will be available on all email clients that the user has access to, for example, via the web browser or on other devices that the user owns.
5. Monitor the status of blocked devices
After conditional access policy is enforced, you can monitor the status of blocked devices using the Mobile Device Inventory report discussed in step 2, as well as the Blocked devices from Exchange tile on the Microsoft Intune dashboard.
Once these 5 steps are used in conjunction with one another, the conditional access policy is defined. This allows for different types of conditional access configurations, depending on your organization’s needs. Below are some configuration examples.
Note: In the following sections the term “Intune protected” is used. An Intune protected device is one that satisfies all of the requirements described in “Step 2 – Identify users who will be impacted by conditional access policy” section above.
1. Basic Configuration
A basic conditional access configuration simply blocks devices that are not protected by Microsoft Intune. In this configuration, no advanced Exchange ActiveSync settings are set.
2. Advanced Configuration
If your organization chooses to setup the advanced Exchange ActiveSync settings, a more complex configuration is possible. This allows flexibility for conditional access policies depending on the nature of your organization.
Some example configurations follow.
Example 1: Require enrollment to Intune, and only allow certain platforms
A strict organization may wish to only allow certain platforms, and block all others. For example, Contoso is an iOS-only organization, which wants to make sure that all iOS devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically allow iOS devices, and block all other devices by default. This means all device types besides iOS (including device types not supported for management by Microsoft Intune) will be blocked. iOS devices will still need to be protected by Microsoft Intune to gain access to Contoso’s Exchange resources.
- Only Intune protected iOS devices should have access
- Block all other devices by default
- Unsupported devices should not have access
Example 2: Require enrollment to Intune, but always block certain platforms
A more lenient organization than in example 1 may wish to only block certain platforms, and allow all others (while still ensuring they’re protected by Microsoft Intune). For example, Contoso is an organization that wants to block Android devices, and make sure that all other devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically block Android devices, and allow all other devices by default. This means all device types besides Android (including device types not supported for management by Microsoft Intune) will be allowed, once managed.
- All device types require enrollment to Microsoft Intune to have access
- Android devices should always be blocked
- Unsupported devices should have access
End User Experience
Once conditional access is enforced, devices in the target group are blocked and the EAS clients on those devices are rejected from communicating with the Exchange server to send or receive emails. Users who open EAS email clients on these devices see a “Quarantine email message” in their mailbox informing them that their device has been blocked along with instructions to unblock their device.
Below is a screenshot of the quarantine email message on an iPhone:
The quarantine email instructs the user to perform the following 3 actions:
a. Enroll into Intune
The user is required to enroll their device into Intune by clicking on the enroll link. Depending on the platform, this process will guide the user through steps to enroll their device into Intune.
b. Activate email (iOS/Android only)
If the device is an iOS/Android device, the user is required to click on the “Activate email” link which associates their Exchange ActiveSync ID to the Work Place Join record in Azure Active Directory. This step only applies to iOS/ Android and is not required for Windows.
c. Check compliance
The final step is for the user to check whether their device meets the compliance criteria set in Intune. To perform this step, the user simply clicks on the “Check compliance” link in the quarantine email.
Exchange will also send a notification to the mailbox once the device is blocked. The following is an example of the experience on Android.
TechNet Documentation Update
As part of the recent update to Microsoft Intune, a series of new technical articles are now available on TechNet, including documentation on these new conditional access capabilities. Visit the What’s New section of the Documentation Library for Microsoft Intuneto see all of the articles that have been recently published. You can read more about conditional access in the enable access to company resources section.
Watch Conditional Access Webinar and Demo Video
Also, make sure to register to watch our recent webinar on this topic. This 30-minute webinar provides more information on these new conditional access capabilities and includes a demo of both the end user and IT experiences. We also spent time answering some great attendee questions. Register here to view a recording of this webinar and don’t forget to check out the rest of our Enterprise Mobility Suite webinar series. Additionally, you can watch a short demo video on conditional access to email here.
I hope that you’ve found this blog post useful. Please bookmark this blog and check back often as we plan to post new content regularly! Also, if you’re not yet using Intune, sign up for a free 30-day trial today!
– Joey Glocke & Murali Hosabettu