Today I`m writing a post about how to force your users to use the Outlook app on iOS and Android devices, even when using a personal non-managed device. A reason for this requirement of forcing your users to use the Outlook app is the use of multi-factor authentication (MFA) on your users mailboxes. Some third-party mail applications still try to connect to your users mailbox using legacy protocols and therefore are bypassing MFA. Another reason is when you are using an App Protection Policy (APP) to protect company data received via email. Only on applications which integrate with the Intune SDK are those APP settings applied.
To set this up, we will use an Azure Conditional Access policy to allow access to Exchange Online on iOS or Android only by using an approved app (Microsoft Outlook). So we are sure MFA is enforced, even as the App Protection Policy.
Setup the Azure Conditional Access policy
- Open the Device Management portal and click Conditional Access
- On the Policies tab click New policy
- Give the new CA Policy a Name
- Under Assignments click the tab Users and Groups
- Select to which group of users you will apply the policy to (start with a pilot group)
- click Done
- Click Cloud apps – select apps and search for Exchange Online (take note of the message which is shown!)
- Click Done
- Select Conditions – Device platforms
- Click Yes
- Select Android and iOS
- Click Done
- Click Client apps (still under Conditions)
- Click Yes
- Select Browser, Mobile apps and desktop clients, Exchange Active Sync clients and other clients
- Click Done
Take note of the message which is shown about selecting Exchange Active Sync (EAS). When selecting EAS, not all other conditions are supported in the same CA Policy, for example MFA. If you want to use one of those conditions, you have to uncheck EAS and setup a second CA policy.
If you want to exclude devices which are marked as compliant in Intune from this policy, on the Device state tab you can achieve this by selecting Device marked as compliant.
- Click Grant (under Access Control)
- Select Grant Access
- Select Require approved client app
- Click Select
- Click On under Enable Policy
- Click Create
What we have achieved by setting up this Conditional Access policy looks like this in an overview. User Jane is targeted with the CA policy and she is using her iOS device. When see uses Outlook (which is an approved client) to access her Exchange Online mailbox, access is allowed. When see uses another app to access her mailbox, access is blocked.
End-user experience
When a user, which is targeted with the CA policy, for example setups the Gmail app to access the mailbox the user receives a message like below. When the user clicks on Get started now, the user is redirected to the Outlook app in the app store.
When the Outlook app is downloaded en the user signs-in to Outlook, the user is presented a new message. A broker app is needed to move on. On Android the Company portal app is used as broker app and on iOS the Microsoft Authenticator app is used. When the user clicks on Get the app, the user is redirected to the app store to download the broker app.
When the broker app is downloaded, click on Open or just switch to Outlook. After providing the sign-in credentials again, the devices needs the be registered.
When registration of the device is finished, the Inbox is opened!
The next step in securing access to company data in the users mailbox would be setting up an App Protection Policy, which I will show in the next blog post.