Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile

Published Jun 19 2020 09:00 AM 62.8K Views

Update: the change mentioned in this article has been rolled out to all commercial tenants.

Many of you may rely on Exchange Online mobile device access rules to ensure that only approved devices (or apps) access your messaging data. By default, an Exchange Online tenant allows access for all mobile devices. Admins can change this behavior to either block or quarantine devices with the following cmdlet:

 

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel <Allow,Quarantine,Block>

 

Exchange mobile device access rules can even be used to manage Outlook for iOS and Android; see Block all email apps except Outlook for iOS and Android for examples.

Likewise, many of you have moved away from leveraging Exchange mobile device access rules and moved to a more comprehensive solution – Azure AD Conditional Access policies.

What you may not know is the interaction between Exchange’s mobile device access rules and Azure Active Directory Conditional Access policies when using Outlook for iOS and Android. This article describes how these policies work today and what is changing in August 2020.

Current behavior

Today, if you configure any conditional access policy (regardless of its applicability to mobile devices), Exchange Online will skip mobile device access rules’ processing for Outlook for iOS and Android devices.

For example, let’s say in your tenant you have no conditional access policies targeting iOS or Android devices, but you have a policy that ensures Windows devices are managed. This conditional access policy targets the Windows platform and leverages the following grant access controls:

CAChanges01.jpg

With this configuration, you may expect that Outlook for iOS and Android would be subject to Exchange’s mobile device access policies because there are no conditional access policies in play for iOS and Android devices. However, that’s not the case. When Outlook for iOS and Android connects to Exchange Online, Exchange Online executes a Graph API call to Azure AD and determines that there are conditional access policies associated with the user and skips the processing of the Exchange device access policies. You can see this by querying the device in Get-MobileDeviceStatistics as the DeviceAccessStateReason is set to ExternallyManaged:

 

Get-MobileDeviceStatistics -mailbox Natasha | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | fl LastSuc*,DeviceAccess*
LastSuccessSync         : 6/9/2020 10:35:13 PM
DeviceAccessState       : Allowed
DeviceAccessStateReason : ExternallyManaged
DeviceAccessControlRule :

 

Future behavior

Obviously, that is not the desired behavior. Beginning in August 2020, we are rolling out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s mobile device access rules for Outlook for iOS and Android devices. Specifically, only Conditional Access policies configured with the following conditions and grant access controls will prevent Exchange mobile device access rules being applied to Outlook for iOS and Android:

  • Cloud app condition: Exchange Online or Office 365
  • Device platform condition: iOS and/or Android
  • Client apps condition: Mobile apps and desktop clients
  • One of the following Grant access controls: Require device to be marked as compliant, Require approved client app, Require app protection policy

For more information on these grant access controls, see Conditional Access: Grant.

The good news is that if you are utilizing one (or more of) these grant access controls with the appropriate conditions, your Outlook for iOS and Android users will not be affected.

However, if you are utilizing Conditional Access policies that do not leverage the appropriate conditions and grant access controls and have configured the mobile device access level within Exchange Online to block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented. By default, the mobile device access level in Exchange Online is set to allow. You have a few different options on how you can remediate this prior to the change:

  1. Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and A....
  2. Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
  3. Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox. An example script is provided that can be modified to automate this:

 

$mbxs = Get-CASMailbox -Filter { HasActiveSyncDevicePartnership -eq $true } -ResultSize 10000
foreach($mbx in $mbxs)
{
$IDList = Get-EXOMobileDeviceStatistics -Mailbox $mbx.id | where {$_.LastSuccessSync -ge "2020-06-01" -and $_.DeviceModel -eq "Outlook for iOS and Android"}
If(!$IDList) { continue }
foreach($ID in $IDList) {$mbx.ActiveSyncAllowedDeviceIDs += $ID.DeviceID}
Set-CasMailbox $mbx.Id -ActiveSyncAllowedDeviceIDs $mbx.ActiveSyncAllowedDeviceIDs
}

 

  1. Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
  2. Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

We believe the changes we’re implementing are the right approach for improving the overall security for Outlook for iOS and Android devices by only skipping Exchange mobile device access rules when the device is managed by Intune. If you have any questions, please let us know.

Ross Smith IV

56 Comments
Occasional Contributor

@Ross Smith IV 

One other question. Do you require Azure AD Premium for those Conditional Access Policies to be setup? 

Microsoft

@Carlos Cordeiro Yes, there are licensing requirements to utilize Conditional Access policies (P1/P2) + Intune to use those grant access controls. The best advice I can relay is to use the script to mass unlock those that were quarantined and then monitor if folks get quarantined again.

Microsoft

@Feffen - If you are licensed for Intune, you could use the "require device to be marked as compliant" grant access control with your devices enrolled in Workspace One (Airwatch). Take a look at Device compliance partners in Microsoft Intune - Azure | Microsoft Docs.

Visitor

This script actually works to add ActiveSync device IDs correctly for anyone who went with option #3 in this article and was impacted. 

 

"Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox. An example script is provided that can be modified to automate this"

 

 

$mbxids =@()
$mbxs = Get-CASMailbox -Filter { HasActiveSyncDevicePartnership -eq $true } -ResultSize 10000
foreach($mbx in $mbxs)
{
$mbxids = @()
$IDList = Get-MobileDeviceStatistics -Mailbox $mbx.id
$allowedcomps = Compare $idlist.deviceid $mbx.ActiveSyncAllowedDeviceIDs
$blockedcomps = Compare $idlist.deviceid $mbx.ActiveSyncBlockedDeviceIDs
$addallowedid = $allowedcomps | where {$_.sideindicator -eq '<='}
$addblockedid = $blockedcomps | where {$_.sideindicator -eq '=>'}
$mbxids += $addallowedid.InputObject
$mbxids += $addblockedid.InputObject

}
if ($addallowedid.InputObject -gt 0){
$mbxids | Foreach-Object {
Set-CasMailbox $mbx.Id -ActiveSyncAllowedDeviceIDs @{Add="$_"}
}
}

Frequent Contributor

@Ross Smith IV @The_Exchange_Team can you please help me with two questions about the "new" behavior which is now rolled out?

 

1.) Does the new behavior take effect for all users (connecting with Outlook mobile app) if any CA policies have the described attributes?  Or is it only in effect for the users who are targeted by those CA policies?

 

Trying to figure out if we can simply target CA policies to some users, allowing them to use Outlook (either from managed device or with MAM policy applied.

 

2.) Is the new behavior documented somewhere on MS Docs?

 

Thanks in advance.

Contributor

i configured work email in outlook android app (device not enrolled to intune. it is MAM-WE) and i still encountered the prompt to activate device administrator for outlook device policy.

 

i ensured that user licensed to ems e3.


CA is created and applied to the user.

 

Cloud app condition: Exchange Online
Device platform condition: Android
Client apps condition: Mobile apps and desktop clients
One of the following Grant access controls: Require approved client app

Co-Authors
Version history
Last update:
‎Feb 08 2021 01:33 PM
Updated by:
www.000webhost.com