Many organizations use Exchange Server's built-in ability to restrict device access via ActiveSync. This ability provides a baseline level of protection to ensure that only approved devices are allowed to connect to the organization while providing a way for administrators to instruct devices to require a PIN.
Unfortunately, ActiveSync's policies were defined long before iPhone, Android and modern Windows Phone devices existed. The options were aimed at Windows Mobile devices, but the small subset of policies available across most devices are limited and do little to protect content shared via email or protect against techniques such as jailbreaking.
Conditional access for Exchange Online fills this feature gap by working in combination with Microsoft Intune (and soon via Office 365 Mobile Device Management). Microsoft Intune controls this feature, and it is based on the state of the device that Exchange Online either blocks or allows. This functionality allows organizations to automate the process to validate if a device is safe to connect to the enterprise, therefore controlling Exchange Online access. We'll go over how to enable these features and explain how they appear to end users.
Prerequisites for conditional access
Before implementing conditional access for Exchange Online, it's important to ensure that the following prerequisites are in place.
- An Office 365 tenant with Exchange Online mailboxes is configured and working.
- Microsoft Intune is configured with:
- Relevant certificates for device management. In this example, we've added a certificate that allows iOS device management.
- A configured Exchange Online connection, typically using the same Microsoft Intune global administrator credentials.
- A compliance policy containing the settings you want to enforce on the mobile device.
To start, log in to your existing Microsoft Intune tenant at https://portal.manage.microsoft.com. After logging in, navigate to the Policy section and verify that a compliance policy is defined. Our example, Exchange Online access policy, requires standard settings that ActiveSync can enforce, such as a device password. The policy also requires that the device must not be jailbroken and that Intune must manage the email account (Figure 1).
The settings ActiveSync can manage will be reflected via the Exchange Online connector in the Office 365 tenant. The Mobile Device Mailbox policy will be shown in the Exchange Admin Center within the Mobile tab. The managed InTune policy will have a unique WindowsIntune_ prefix (Figure 2).
Enable conditional access
With these prerequisites in place, we can now enable conditional access for Exchange Online ActiveSync devices.
Before enabling conditional access, use the reporting functionality to verify which end users are already out of policy or end users that can't be verified; the latter would risk losing temporary access until their devices are remediated.
We can then enable conditional access within InTune by navigating to the Policy tab, expanding the Conditional Access section and selecting Exchange Online Policy.
First, choose Block email apps from accessing Exchange Online if the device is noncompliant, then select the Targeted Groups before selecting a group. The group will either be a synchronized group via DirSync or a cloud-only group created in Azure AD. In our example, a group called "All Users" has been selected (Figure 3). To test before deploying to a wider end user base, you could select a smaller group with pilot end users.
As an additonal option to block noncompliant devices, you can block all devices that Intune doesn't support. This option is under the Unsupported Platforms heading (Figure 4).
After enabling conditional access, Intune will use the features in Exchange Online to block and quarantine devices until they're compliant. This means conditional access automates the management of the existing quarantine functionality provided with Office 365, giving you more control over Exchange Online access.
End user experience
After switching on conditional access, noncompliant devices will move into a quarantine status. The notification email sent to the device is different than a normal Exchange Quarantine message. It provides information to allow end users to download the Microsoft Intune application from their device's app store, and then enroll the device. One possible message an end user receives could ask them to enroll their device (Figure 5).
When the device is in quarantine, all messages on the device are removed along with any other synchronized information such as contacts. The ActiveSync relationship between the device and Exchange Online remains intact, but the device simply can't synchronize mail or send messages.
The next step is to install the InTune application on the device. This will allow end users to log in using their Azure AD username and password (and if DirSync is used, their AD password) to enroll the device with InTune (Figure 6).
After the enrollment process is complete, and assuming the device meets the requirements defined within the compliance policy, InTune will move the device back into a state where it's allowed to synchronize with Exchange Online. If the device falls out of policy, this Exchange Online access will be revoked.
About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.
All there is to know about Exchange Online
So you’ve implemented Exchange Online -- now what?