Force Outlook for Mobile via Conditional access

Written By Luke Kavanagh

What license do you need?
Enterprise Mobility + Security (EMS) or an Azure Active Directory (AD) Premium subscription

Will it work for unmanaged devices?
Yes, it will work for managed and unmanaged devices.

Why Outlook?
With Office 365, you can use App Protection Policies which applies to Office Applications. An app protection policy can be a rule that's enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. It can also block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online plus far more.

What apps can you apply App Protection Policies to?

Mobile apps.png

Do I need anything else?
Yes, you will need the Microsoft Authenticator App for IOS or the Microsoft Company Portal for Android. These are used as broker apps. If the user tries to use their native mail app, it should direct them to their app store to install Outlook.


Why do I need the broker app?
The broker app starts the Azure AD registration process, which creates a device record in Azure AD. This process isn't the same as the mobile device management (MDM) enrollment process, but this record is necessary so the Conditional Access policies can be enforced on the device.

How do I force Outlook Mobile via Conditional Access?

Step 1. - Go to Conditional Access

Step 2. - Click New Policy

Step 3. - Click Include > Select Users you would like it to apply to.

step 3.png

Always use a test group or a test user before enabling the whole org.


It’s also worth keeping a break-glass account excluded.

Step 4. - Click Include > Cloud Apps or Actions > Select Apps > Search ‘Office 365 Exchange Online’

Exchange Online.png

Step 5. - Click Conditions > Device Platforms > Select Android and IOS

Platforms.png

Step 6. - Click Conditions > Client Apps > Select the following:

Client apps.png

Step 7. - Click Access Controls > Click Grant > Click Required Approved Client Apps.

Grant.png

Completed!

Success.PNG

Now - here’s the logic:
If USER tries to use/sign in via O365 Exchange on iOS or Android using any client, it will grant access provided it is an Approved Client App. This will work for managed and unmanaged devices.

The Approved Client Apps can be found here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#supported-mobile-applications-and-desktop-clients

To find out more on how App-based Conditional Access works, check Microsoft’s documentation here: https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

Luke Kavanagh
Previous

How to deploy AutoElevate via Azure/Intune
Next

How to access Attack simulation training (PREVIOUSLY Attack Simulator) within Office 365