Wednesday, 25 March 2015

See "Microsoft Intune Conditional Access" in action

EMS Landing page

Microsoft Intune Conditional Access was first released in December 2014. It is particularly cool. Now we can fight Shadow IT and block access to corporate resources from un-managed devices. Many enhancements have been made to the service since.

Have a look at the following TechNet library document:

Control access to Exchange and Office 365 with conditional access in Microsoft Intune

Use Conditional access in Microsoft Intune to secure email and other services depending on conditions you specify.

When devices do not meet the conditions, the user is guided though the process of enrolling the device and fixing the issue that is preventing the device from being compliant.

To implement conditional access, you configure two policy types in Intune:

  • Compliance policies are optionally deployed to users and devices to define the rules and settings that the device must comply with in order to be allowed access to services. These rules include passcode, encryption, whether the device is jailbroken or rooted, and whether email on the device is managed by a Intune policy. If a compliance policy is not deployed, then the conditional access policy will treat the device as compliant.
  • Conditional access policies are configured for a particular service, and define rules such as which Azure Active Directory security groups or Intune groups will be targeted and how devices that cannot enroll with Intune will be managed.
Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these once, and they apply to all your managed devices.

The currently supported scenarios are:

Standalone Intune
  • Exchange On-Premise (Exchange 2010 and later)
  • Exchange Online
  • SharePoint Online

ConfigMgr/Intune integrated
  • Exchange Online (very recent)

In this blog I have concentrated on configuring an Exchange On-premise conditional access solution (because I don't have Exchange or SharePoint Online labs). I will demonstrate how to carry out the following:
  1. Install the Microsoft Intune Exchange Connector
  2. Create an Exchange On-premises policy
  3. User testing and experience

See here for more information

Set up mobile device management using Exchange ActiveSync in Microsoft Intune

1. Microsoft Intune Exchange Connector

If your instance of Exchange Server is on-premises, you must download, install, and set up the Microsoft Intune On-Premises Connector on a computer in your infrastructure. 

See here for the requirements:

Requirements for the On-Premises Connector

You must create an Active Directory user account that is used by the Intune Exchange Connector. The account must have permission to run the following required Exchange PowerShell cmdlets: 

  • Get-ActiveSyncOrganizationSettings, Set-ActiveSyncOrganizationSettings
  • Get-CasMailbox, Set-CasMailbox
  • Get-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Remove-ActiveSyncMailboxPolicy
  • Get-ActiveSyncDeviceAccessRule, Set-ActiveSyncDeviceAccessRule, New-ActiveSyncDeviceAccessRule, Remove-ActiveSyncDeviceAccessRule
  • Get-ActiveSyncDeviceStatistics
  • Get-ActiveSyncDevice
  • Get-ExchangeServer
  • Get-ActiveSyncDeviceClass
  • Get-Recipient
  • Clear-ActiveSyncDevice, Remove-ActiveSyncDevice
  • Set-ADServerSettings
  • Get-Command
You will need to speak nicely to your Exchange Admin to configure the required permissions. I cheated every so slightly in the lab.

I assigned my account way more permissions than I needed (OK in a lab, not so clever in production).

Navigate to Administration > Microsoft Exchange > Set Up Exchange Connection. Select to "Download On-Premises Connector".

See the Connector executable and Intune certificate files. Note that these two files must be present in the installation folder.

Double click Exchange_Connector_Setup to launch the Microsoft Intune Exchange Connector Setup Wizard". Click Next to continue.

Review the terms and click Next to Install.

The Connector installs.

The setup has completed. Click Finish to start the Connector.

Welcome to the "Microsoft Intune Exchange Connector".  Enter the required details:
  • Exchange Client Access Server name
  • Domain account that you created earlier
  • Optional email address
Click Connect to create the communication between Intune and Exchange.

The connection is being created.

The connection has been created. We are told where we can see the synchronization status.

Note that you can update the connector details if you need to. I have added an email address here.

Back in the Intune Portal we can see that the connection has been created but the initial sync has not been run. Click "Run Full Sync" to kick that off.

Synchronization is in progress.

After synchronization has been completed we can run a Mobile Device Inventory Report. This will tell us the bad news. Which of my devices are un-managed but are still accessing Exchange? We need to contact these users to make arrangements for enrolling these devices. Once we apply a conditional access policy these users will lose access to email.

2. Create an Exchange On-premises policy

It's very easy to create the Conditional Access policy. Navigate to Policy > Conditional Access > Exchange On-premises Policy.

Check the box "Block email apps from accessing Exchange On-premises if the device is non-compliant or not enrolled". 

Select the Targeted Groups (in other words the groups that should receive the policy). In my lab I chose "All Users".

Select the Exempted Groups. The policy will not apply to these users. If a user is in both targeted and exempted groups the policy will not apply. I have chosen a group "Excluded from Conditional Access".

The default rule should be "Allow the devices to access Exchange".

See that you can customise the User Notification". Save the policy.

See that I have allowed only Mike and Pat to be exempt from the policy (as they are VIPs and have to be treated differently).

3. User testing and experience

I am testing on an un-managed Android device. Remember we have allowed Pat to be exempt from the Conditional Access Policy. Therefore he should be allowed to connect to Exchange........

.....and he can.

Good for Pat.

Gerry is not so lucky. He is not a VIP so the policy will apply.

He cannot connect to Exchange.

He actually receives an email to his mailbox explaining the situation and telling him that he is trying to access Exchange with an un-managed device. Perfect.

Gerry then installs the Intune Company Portal and enrolls the device.........

.....and finally can access his email.


  1. Can you make it work with the new Outlook apps? :)

    1. No reason why not. It supports ALL email apps on supported devices.

  2. One of the most challenging parts of installing the connector is securing the service account that is used by the connector. I would recommend adding this script as an option for the reader to your post. This script is great:

  3. Hi Gerry,

    great post. How would you recommend testing this - without knocking off existing users who use activesync natively? I'm concerned once i install, all of a sudden i'll nuke their phones.. :-)

  4. Have a look at this

    It shows you which report to run so that you can assess the impact of turning on conditional access before you do so.