Today I`m writing a post about how to force your users to use the Outlook app on iOS and Android devices to access the Exchange Online mailbox, even when using a personal non-managed device. A reason for this requirement of forcing your users to use the Outlook app is the use of multi-factor authentication (MFA) on your users mailboxes. Some third-party mail applications still try to connect to your users mailbox using legacy protocols and therefore are bypassing MFA. Another reason is when you are using an App Protection Policy (APP) to protect company data received via email. Only on applications which integrate with the Intune SDK are those APP settings applied.
To set this up, we will use an Azure Conditional Access policy to allow access to Exchange Online on iOS or Android only by using an approved app (Microsoft Outlook). So we are sure MFA is enforced, even as the App Protection Policy.
Setup the Azure Conditional Access policy
- Open the Device Management portal and click Conditional Access
- On the Policies tab click New policy
- Give the new CA Policy a Name
- Under Assignments click the tab Users and Groups
- Select to which group of users you will apply the policy to (start with a pilot group)
- click Done
- Click Cloud apps – select apps and search for Exchange Online (take note of the message which is shown!)
- Click Done
- Select Conditions – Device platforms
- Click Yes
- Select Android and iOS
- Click Done
- Click Client apps (still under Conditions)
- Click Yes
- Select Browser, Mobile apps and desktop clients, Exchange Active Sync clients and other clients
- Click Done
Take note of the message which is shown about selecting Exchange Active Sync (EAS). When selecting EAS, not all other conditions are supported in the same CA Policy, for example MFA. If you want to use one of those conditions, you have to uncheck EAS and setup a second CA policy.
If you want to exclude devices which are marked as compliant in Intune from this policy, on the Device state tab you can achieve this by selecting Device marked as compliant.
- Click Grant (under Access Control)
- Select Grant Access
- Select Require approved client app
- Click Select
- Click On under Enable Policy
- Click Create
What we have achieved by setting up this Conditional Access policy looks like this in an overview. User Jane is targeted with the CA policy and she is using her iOS device. When see uses Outlook (which is an approved client) to access her Exchange Online mailbox, access is allowed. When see uses another app to access her mailbox, access is blocked.
End-user experience
When a user, which is targeted with the CA policy, for example setups the Gmail app to access the mailbox the user receives a message like below
You can`t get there from here
When the Outlook app is downloaded en the user signs-in to Outlook, the user is presented aother message. A broker app is needed to move on. On Android the Company portal app is used as broker app and on iOS the Microsoft Authenticator app is used. When the user clicks on Get the app, the user is redirected to the app store to download the broker app.
When the broker app is downloaded, click on Open or just switch to Outlook. After providing the sign-in credentials again, the devices needs the be registered.
When registration of the device is finished, the Inbox is opened!
The next step in securing access to company data in the users mailbox would be setting up an App Protection Policy, which I will show in the next blog post.
32 Comments
Hey Peter,
We recently made the switch company wide to force all employees to use the Outlook app for iOS. We used the Microsoft authenticator app. It was a very seamless transition with no negative effects. Everything very simple, no downtime, no errors, nobody even needed IT’s help. I’ll continue to provide updates here regarding any issues or feedback. By the way, did you wind up writing the post on App protection policy? I didn’t see it on the site.
Thanks
HI Tyler,
I wrote this article on App protection policy/ Outlook mobile https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/
I linked in in the article now.
Great article. I’m trying to stop users enrolling their BYOD devices but force them to use the Outlook app. I have blocked personal devices in the Enrollment Restrictions but now they cannot enrol/use Outlook for new users?
When you block Personally owned devices in the Enrollment restrictions, you need to register your corporate owned devices. You can find this under Devices, Enroll Devices, Corporate device identifiers.
Or you could use Apple Business Manager (previously DEP) for iOS and Samsung Knox Mobile Enrollment for Samsung devices.
one query about this when blocking personal owned devices from enrolling in Android (So they can only use app protection), if you company android enrol devices the fully managed way where the user scans the QR dopes this class it as corporate without having to add it via Samsung Knox? Just we have devices that cant be added to Knox as we already have them.
That`s a good one, not tried that yet.
Great article. I got this working on everything except on Samsung eMail native app have you encountered this issue?
What are you trying to accomplish? Is the Samsung email native app not blocked?
Hi,
How do I force Outlook for all our managed IOS devices?
As
Hi Ase,
Have a look at this article https://inthecloud247.com/azure-ad-conditional-access-explained-android-and-ios
You should set in the CA policy at Access control that an approved app is required to access Exchange Online. That would block the native iOS mail app to access Exchange Online.
Regards,
Peter
“the user receives a message like below You can`t get there from here”
Where do i configure that template you have shown here?
Hi Peter,
What will happen to current native mail client?
As
The You can`t get there from here screen is from a Android device, which differs from iOS. There is no template used or something to configure on that.
The native mail client will be blocked from accessing corporate mail if everything is configured to only allow approved apps.
Great article.
With a BYOD Intune enrolled Android device, is there a way to block a user from accessing corp email in personal Outlook (personal profile) but still able to access corp email in Outlook from work profile? Thanks.
When you enroll the device with Android Work Profile this can be done with a Conditional Access policy. Require a compliant device will make sure the user cannot access the mail in the personal part of the device, but only in the Work profile.
When the user tries to access mail with Outlook in the personal part of the device, a message is shown to enroll/ register the device, which fails.
Have a look at this article for some information related to Android and CA policies https://inthecloud247.com/azure-ad-conditional-access-explained-android-and-ios
Thanks for the reply.
When the user tries to create Work account in Personal Outlook, he is asked to enroll the device and then the whole process is back to square 1 (remove badge, enroll device, install Outlook in Work profile, then user wonders why Personal Outlook is still not done). Even the log doesn’t show what the user was trying to do to have a clearer picture on what happened to the user and what guideline and troubleshooting steps need to be performed from Admin’s perspective. Is this also your experience?
When the user tries to access mail with Outlook in the personal part of the device, a message is shown to enroll/ register the device. The user is asked to install the Company Portal app, which is already installed, so only needs to be activated. When opening the CP app, the user sees a message he`s half-way and need to open the CP app with the work badge icon.
In my experience it seems to working.. l tried:
1. User tries to log in using Outlook App in Personal part.
2. Outlook says that user has to install Intune App from Google Play
3. User installs Intune App
4. User run again Outlook in personal part, provides a password then Outlook is asking for register device
5. User click “register” and device is trying to register but without success, it asks for install Microsoft Intune Portal. This point lasts over and over again.
I have CA configured for this user with:
Require device to be marked as compliant
Require approved client app
Require app protection policy
Require all the selected controls
Ridiculous that Microsoft makes it possible to force end users to only use their clients. You can bet that in a while those MS apps will only run on their own OS.
Abuse of market power. A am amazed that no-one is suprised this is even allowed by anti-trust organizations
Absolutely agree. I hate using outlook app on my iPhone. It works so bad and doesn’t separate thread properly as ios mail.
I have an android device enrolled with a work profile. I currently have outlook installed in both the personal profile and also in the work profile downloaded from the company store as an approved app. Is there a way to only restrict access to email via the outlook in the work profile? I need to block users setting up a company email profile from the personal profile.
This should be accomplished by using a Conditional Access policy where the requirement is that only a Compliant Device is allowed to access corp data.
Have a look at this post https://inthecloud247.com/azure-ad-conditional-access-explained-android-and-ios/
Doing this basically limits the capabilities your phone and watch (if you have one). Not being able to use third party apps for calendaring etc is beyond stupid. Why not just set up the two factor authentication when adding the account in iOS or Android settings?
Thank you very much for the article. Its really helpful. Some users are receiving email after the policy is applied. Some users are not. Under what condition(s) do users receive notification email? Is there a configuration for that? Title of the email is “access your organization’s email with outlook email” btw
This seems to work except that it is requiring a certificate on the BYOD device, which I don’t want to require. Is there a way around this?
It needs a broker app to assign the policies/ restrictions, no way around this.
Thanks for the article. I wanted clarity on one point. Whats the advantage of EXCLUDING a compliant device vs GRANTING compliant device as one of the policies?
At face value it feels like the effect is the same.
That depends on the use case.
You might for example require MFA for an application and every device, except on compliant devices.
Thanks for the article. Policy worked perfectly for new logins.
But for the users who were already using native app before policy deployment , they are still able to access mail. How can we block existing native app users.
Existing users would most likely get blocked when the access token lifetime is expired.
If users were already enrolled before pushing out this policy it is my understanding that new Work eMails will not load in the native mail app, but old eMails will still be available. Is there any option from Intune to remove the account and old eMails from enrolled devices to force a cleanup?
Thank you very much for making this tutorial! When I was unable to connect to Exchange with my Android I though I’d broken something and was paranoid. I figured it must be some permission so I searched and came across your tutorial and it worked flawlessly. I am moving tomorrow and don’t need a huge burden of trying to figure out the beast of Microsoft 365 and all there policies right now. Lol