Tuesday, 9 December 2014

Conditional access to email with Microsoft Intune

Back to Microsoft Intune menu

This has been an eagerly awaited feature and is now available with Microsoft Intune. We can now use Intune conditional access policies to control access to Microsoft Exchange email from mobile devices, even when the device is not managed by Intune.

Supported devices: 

Windows 8
Windows Phone 8
iOS with Exchange ActiveSync

In the Intune Admin Console navigate to Policy > Conditional Access > Exchange On-premises.

See that you can now "Block Exchange access from mobile devices that are not managed by Intune". You will also see that the option is greyed out until you set up an Exchange connector.

To set up a connector navigate to Admin > Mobile Device Management > Microsoft Exchange > Set up Exchange Connector. There are separate processes for on-premise Exchange (requires Exchange 2010 or later) and Office 365 (requires Office 365 account with Exchange 2013 tenant).

Details on setting up these connectors can be found in this TechNet Library article. You can see, for example, what Exchange permissions your user account requires.


Now you can check the box to block access for unmanaged devices.You can choose the groups of users at which this policy is targeted. You can also choose groups of users that will be exempt.

This is where you configure your advanced settings. You can "Add Rule" to configure a rule that defines access levels for specified mobile device families and models. These devices can be of any type, so device types that are unsupported by Intune can be configured here.

You can also configure a default rule. When a device not covered by any of the other rules is detected, you can choose to allow it to access Exchange, block it, or quarantine it. The default rule will apply to all device types, so device types that are unsupported by Intune will be affected as well.

Specify the text to include when Exchange sends an email to users whose devices have been quarantined or blocked.

Note that this really cool feature is currently available in standalone Intune only. It is not yet available with the unified solution of SCCM 2012/Intune.


Control access to on-premises Microsoft Exchange with conditional access in Microsoft Intune 


Conditional Access for On-Premises Exchange using Microsoft Intune



  1. i want to configure in such a way that as a admin i allow some employees to configure active sync on 1 device , some on 2 device and other on 3 devices. Is it possible ?

  2. But our project manager from MS said that it can be achieved. also i have figured a way from allow, block and quarantine ( from both Intune and O365). Is it the right approach.