• Home
  • Blog
  • Technical
  • How to enforce the use of managed applications (e.g. the Outlook app for Exchange Online) using Conditional Access in Azure AD Premium

How to enforce the use of managed applications (e.g. the Outlook app for Exchange Online) using Conditional Access in Azure AD Premium

Back to Blog
21Nov2018

How to enforce the use of managed applications (e.g. the Outlook app for Exchange Online) using Conditional Access in Azure AD Premium

In a previous post I demonstrated how easy it is to create a Mobile Application Management policy in Microsoft 365. With the addition of Azure AD Premium P1, we can also leverage Conditional Access polices that will require users to interact with corporate data through the Microsoft applications such as Outlook. After all, you can create a MAM policy, but those settings are only meaningful within the Microsoft apps themselves–so if you want those protections to be strictly enforced everywhere, you will need to steer your users into the right set of supported applications.

Enter Conditional Access. Here we can tell Azure AD to deny access to apps that are unsupported. Also see my post on requiring MFA for devices that are unmanaged, which is another good pairing for Mobile Application Management (MAM) policies.

Two paths diverged in a wood….

Now, if you have both MAM and MDM in your environment, you might need something a little bit different. Users who are enrolled in Intune for MDM, with their devices registered against Azure AD might be allowed to have a managed email profile in the native mail app for instance, and so need not be required to use MAM (since they are managed already via MDM). Therefore, in a follow-up post, I will also cover how to create variations on these policies which require one of the following to be true:

  1. Users must use approved (managed) applications that are protected by MAM
  2. Users will be required to register against Azure AD and Intune (MDM)

Let’s look at the first scenario–just requiring managed apps across the board (steering the entire organization toward MAM rather than MDM).  Achieving this goal will require three policies:

  1. Policy #1: requires managed applications to be used on mobile devices for Exchange Online and SharePoint Online
  2. Policy #2: requires managed applications for Exchange ActiveSync (EAS) clients
  3. Policy #3: disables legacy clients of any kind

Step 1: Create a new Conditional Access policy requiring MAM-enabled apps

You can find Conditional Access from Azure AD Admin center, or the Microsoft Intune admin center (In the Azure portal). Select Policies > New policy.

Step 2: Select your assignments

I will name my policy “Require managed apps” and pick my assignments. I want this policy to apply to All users, but you can (and probably should) scope it to a group, and/or also exclude at least one admin account. Under Cloud apps, you should pick Office 365 Exchange Online and Office 365 SharePoint Online–these apps are where most data worth protecting is stored.

Step 3: Pick your conditions

Device platforms: This policy’s goal is to require managed apps on mobile devices (MAM). Choose Android and iOS (and I suppose Windows Phone if that is seriously in use anywhere?)

Locations: Optional, or just pick Any location.

Client apps: Choose Mobile apps and desktop clients as well as Modern authentication clients. Leave the options for Browser and Exchange ActiveSync clients un-checked. The control will not apply to web browsers, only to applications; I recommend a different policy for web browsers (require them to use MFA). As well, we cannot configure the Exchange ActiveSync clients in the same policy due to some inherent limitations with Conditional Access. So we will need to configure a second policy specifically for EAS clients.

Device state: You do not need to configure this condition.

 

Step 4: Choose access controls

Choose Grant access, and tick the check mark box for Require approved client app–you can also click the link to see Microsoft’s list of approved apps.

When you are ready, you can save and enable the policy by choosing On, then Create.

Step 5: Create policy #2: EAS client policy

As I mentioned above, you will need another policy that applies to Exchange ActiveSync clients. Microsoft requires EAS clients to be managed separately at this time. Create another policy, and give it a descriptive name. This will have the same settings as above, basically, except that under Cloud apps, you must have Office 365 Exchange Online as the only application in this policy in order for it to work correctly.

Now under Conditions you only have to define one: Client apps, and you will select only Mobile apps and desktop clients as well as Exchange ActiveSync clients. At this time, technically no other conditions are supported when you build a policy including Exchange ActiveSync (there is a note below the selection to the same effect).

 

The Access controls section remains the same as in the first policy. Choose Grant access and Require approved client app.

Step 6: Create policy #3: Block access to older legacy apps

One more policy to create! The selections are quick and painless, however. This will prevent older clients from connecting to Exchange Online. Only add this policy if you have modernized your organization with newer client software such as Office 365 subscription-based desktop apps. Name it something descriptive like Block legacy client apps for Exchange Online. Again you will select only Office 365 Exchange Online for the Cloud app, as we did above. Under Client apps you need only to select Mobile apps and desktop clients, and Other clients.

And, instead of Grant we will Block access, under Access controls.

Save your selections and Create your policy.

Step 7: Test it out!

Keep in mind that conditional access policies can tend to take some time (1-2 hours in some cases) before taking effect, but eventually you should be able to verify that they are working.  Try accessing an Exchange account using the native iOS mail app for instance, and see what happens! Of course, the Outlook app would be successful here.

And if in your policies you accidentally included the Browser category somewhere, you may notice that access is denied as well. In my opinion, it is better to simply protect browsers by requiring MFA–raising your confidence in the authentication requests coming from the web. This should already be happening for unmanaged devices, if you’re using that policy in conjunction with this, and again IMO: this should be good enough. Nevertheless, you can imagine how easy it is to create a policy that applies to Browsers and requires MFA globally–it would be simple and quick to setup and apply universally (whether devices are managed or no).

Good luck with your own MDM, MAM and Conditional access strategies!

Technical , , , , , , 2 Comments
Share:

Comments (2)

  • Dillon Burke Reply

    How do you get managed apps though? it blocks access to the company portal app.

    March 8, 2022 at 3:02 pm
    • Alex Fields Reply

      Do not target “All cloud apps” or at least exclude the Microsoft Intune Enrollment cloud app. Normally I just target Office 365 instead of All cloud apps for this situation.

      March 9, 2022 at 1:13 pm

Leave a Reply

Back to Blog

Related Posts

11Jul

Migrating SBS Remote Web Access to Essentials Anywhere Access

In Windows Small Business Server environments, one of the more popular features to implement was the Remote Web Workplace (or Remote Web Access in 2011). The idea was to grant secure, web-based remote access to corporate resources (such as Remote Desktop or web-enabled access to... read more
07Nov

Configure alerts for your 365 Tenant from the Security & Compliance Center

If you have an Office 365 or Microsoft 365 subscription, then you should check out the Security & Compliance Center--there are plenty of tools in here to help you step up your game. Generally speaking, nothing is really configured by default, so if you want... read more
06Apr

Warning: Domain Renames are Not Recommended (or Supported)

I have recently run into a couple of different scenarios wherein I've been asked to fix domain rename operations gone awry.  After having worked through this process extensively twice now, I thought I'd post about my experience, in case this helps anyone else avoid the same... read more
25Jan

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more
26Oct

Tutorial: How to Setup Azure Virtual Network with Windows Server Essentials and a Hardware VPN Appliance

Most tutorials on Azure Virtual Network and site-to-site VPN rely on Windows Server's RRAS role to create a quick and dirty VPN connection for demonstration purposes. But in a real world production environment, this is hardly ever the case; the better option by far for... read more
28Nov

Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

In the previous post, we looked at Azure Backup using the MARS agent, which can only do file, folder & system state data, and must be configured on the local machine. As you may already be aware, there are no local backup copies in that... read more
11Nov

From Ignite 2019: Office 365 ATP Best Practices Analyzer, and other actions MS is taking to democratize security

I haven't had time to write an overall review of Ignite and all the various announcements that were made. And honestly, I might just skip that because there are so many others out there doing the same. They probably did an even do a better... read more
20Jun

Conditional access for the SMB, a how-to guide

**This resource was updated 09/01/2019** Unfortunately it is not yet possible to import CA policies from JSON, the way we can for Intune compliance policies or device profiles. Nevertheless, now that Conditional access is available to all Microsoft 365 Business customers, you will want a good... read more
14Jul

U.K. Cyber Essentials Simple Assessment Tool

I recently came across the U.K.'s Cyber Essentials, as published by the National Cyber Security Centre (NCSC). Not two days after I learned about this simple control framework while on a conference call spanning several time zones with friends from around the world, that I... read more
27Jun

Active Directory Migration from SBS 2008 or 2011 to Windows Server 2016

There are three basic options for migrating Active Directory from Small Business Server--(1) you can move into Windows Server Essentials or (2) Windows Server Standard. Furthermore, (3) you can move to Windows Server Standard, and enable the Essentials Experience role afterward, which is what I typically... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me