Changes to the Intune Exchange On-Premises Connector
Published Jun 10 2020 06:32 PM 20.9K Views

Today, we're posting about an upcoming change that might impact customers who use the Intune Exchange On-Premises Connector.
Intune Deprecating the Exchange On-Premises Connector
Intune is deprecating the Exchange On-Premises Connector feature from the Intune service. This does not affect existing customers with an active connector, they will be able to continue using the connector for the time being.

The only customers that will be impacted are those that do not have an existing active connector. Those customers will no longer be able to create new connectors or manage on-premises EAS devices from Intune.
How this will affect your organization
If you are not already using the Exchange On-Premises Connector, but want the functionality this service provides, you will need to use a different method to enable Conditional Access for Exchange on-premises. Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook mobile for Exchange on-premises.
What you need to do to prepare
If you are an existing tenant with an active connector, you will be able to continue with the current functionality at this time. For all other customers, consider your Exchange environment requirements and review the Exchange HMA if you need protected access to Exchange on-premises.

If you have any questions on this upcoming change, just comment back or ask your question directly by tagging @intunesuppteam on Twitter!

The Exchange and Intune Teams

Senior Member

If we enable HMA how does it impact the end users using outlook2010, 2013,2016(Prerequisites says from outlook 2013 it supports) .we are using legacy protcols like imap, pop3 whether it will be impacted. 

@Kiran2150 enabling HMA doesn't disable legacy auth. It's additional.

Senior Member

So basically that means users could use native app as well as outlook mobile app, the latter having the advantage of IAP + CA over the former?

Senior Member

HMA in Outlook iOS requires data to be 'synced' to Exchange Online - any way to avoid this and ensure data is still on-prem, or do we need to use the natve mail client?

@RahulSingh, correct. Have a look at our Intune App Protection and Conditional Access with HMA doc to learn more about these features.


@apnet1205 - Outlook for iOS and Android (Outlook mobile) has always been a cloud-backed application. Processing information in our service fabric enables advanced features and capabilities, such as the categorization of email for the Focused Inbox, improved search speed, artificial intelligence scenarios, and more. It enhances Outlook’s performance and stability, relying on the Outlook service for intensive processing and minimizing the resources required from users' devices. Lastly, it allows Outlook to build features that work across all email accounts, regardless of the technological capabilities of the underlying messaging platforms (e.g. different versions of Exchange, 3rd party email systems like Yahoo! Mail and Gmail, etc.). There are no plans to provide an Outlook mobile experience that does not rely on cloud integration.

But let's break this down. What do you have today? You have a on-premises Exchange server and a mobile EAS device (and possibly laptops with Outlook cached mode). The mobile EAS device contains a portion of the user's mailbox data. This mobile EAS device (and laptop!) roams wherever the user goes - in-country, out-country, etc. All changes that the user enacts on the mobile device are synced to the on-premises Exchange server which is considered the authoritative source. 

Now let's look at the Outlook mobile architecture ( You have a mobile app, EXO, and on-premises Exchange. What is EXO in this scenario? It's nothing more than the mobile EAS device in the previous example - it syncs a portion of the mailbox data from on-premises using EAS. The authoritative source is still on-premises Exchange (e.g, message transport occurs via on-premises). Outlook+EXO = "mobile EAS device". And you get all the benefits from a security, privacy, and compliance perspective that O365 provides. Plus, you get additional capabilities like Conditional Access and Intune App Protection Policies that you may not have available with traditional EAS clients, which further protects the data on the physical device and ensures only trusted users gain access to the data.

In the event you have a legal requirement that a portion of the mailbox data cannot reside in a cloud service (but again challenge the notion if the authoritative and complete source remains on-premises and traditional EAS mobile devices are allowed out of country!), then yes, the native mail clients are your only option (remember, there are other third-party client apps out there that sync data to cloud repositories).

Frequent Contributor

This feels premature.  It should coincide directly with Exchange 2010 EOL and nothing else sooner.

Occasional Contributor

I alteady read the docs several times but to me it isn‘t still not clear if I could block native iOS and Android Clients in this scenario:

- I still have alot of onpremise Mailboxes

- HMA is enabled

- no Exchange connector


On this page I can find the information:

When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android as the only email app for end users, they can configure a conditional access policy that blocks other mobile access methods“

Ok, sounds good but when I read on a little bit further I can read

„In order to block other mobile device clients (such as the native mail client included in the mobile operating system) from connecting to your on-premises environment (which authenticate via basic authentication against on-premises Active Directory), you have two options: 1. Exchange mobile device access rules or 2. Install the Exchange Connector.


So can I block native mail apps only with HMA including the correct access policies (but without the Ex Connector)?

Thank you in advance,

best regards!


@Axel7 - yes, you can block native EAS apps using conditional access. Create the policies outlined in

Occasional Visitor

What is the fastest way to setup onprem mailboxes to sync via the outlook for ios app?

WE have a fully functional conditional access policy for mandatory compliance + usage of outlook of ios app to sync mails for the 0365 residing mailboxes.


We are not keen on using the native email client, as it uses only a basic auth.

Version history
Last update:
‎Jun 10 2020 06:32 PM
Updated by: