This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 53%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
We want accomplish that a personal device (MAM) is not allowed to use the native mail app, but instead that they need to use the Outlook app. This is easy to configure with an CA policy based on user groups and approved client settings, but for an MDM enrolled device the user needs the possibility to use any kind of mail app to access the company email.
So how can we differentiate two CA-policies based on the type off enrollment?
Can anybody put me in the right direction how to set this up?
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hi,
For the conditional access not applied issue, based on my research, it seems the conditional access will be applied when the user tries to authenticate to Azure AD from app.
https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
For our situation, as the user is already login into outlook. the token is cached on device side. So the authentication does not happen which cause the conditional access not applied. But when we remove the account and add again, it trigger the authentication and the conditional access is applied.
After researching, i find a setting named Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Maybe we can set this setting to fix our issue. As Conditional Access is a feature in Azure AD, Azure AD support may be more familiar with it, we suggest to contact them to double confirm our issue and guide for the sign-in option. Here is the forum for Azure AD support:
https://learn.microsoft.com/en-us/answers/topics/azure-active-directory.html
Thanks for the understanding. have a nice day!
Best regards.
Crystal
Hi,
In Conditional Access policy, we only find the condition that is used to distinguish the device state is Compliance. We don't find any condition to distinguish personal device and corporate device.
To accomplish our goal, I have an idea as reference. We can set a compliance policy and assign it to all the devices which are corporate. Then configure the "Mark devices with no compliance policy" as "Not Compliant" under "Compliance policy settings". As there's no compliance policy assigned to the personal devices, all the personal devices will be marked as Not compliant. Afterwards, we can add the condition "Require the device marked as compliant" into the Conditional Access policy to accomplish what we want.
Hope it can help.
Best regards.
Crystal
Hi,
Thanks for reaching out so soon, much apricated!
I've build this in my own tenant:
Conditional Access policy (enforce modern authentication):
Conditions:
Conditional Access policy (blocking native mail app, but not on MDM (=compliant devices):
With an compliancy check for all device with the Ownership Corporate, it works beautifully! Then I realized that we have employees with personal iOS devices and they enrolled there devices with the company portal app and now the ownership is set to Personal. So in this setup they aren't compliant and unable to use the native mail app for example even the device is MDM enrolled.
Tomorrow I will test if I can do something with Categories, so the user has to make a decision when enrolling the device with the company portal app and make an combination of the Ownership and Category, maybe I can accomplish it with these adjustments.
Keep this updated, many thanks!
Best regards,
Michiel
Hi Michiel,
Thanks for the update. I am glad that it is working. We will wait for your update about category. If there's anything else we can help, feel free to let us know.
Best regards.
Crystal
Hi,
Categories wasn't the right way to go, because one off the requirements was that enrolling iOS devices shouldn't be done with installing and configuring the company portal, because than a device is always MDM and almost fully managed by IT.
So now we build a solution that if a user wants to use the native mail app, a message pops up telling the user that the device needs to be enrolled (MDM) to use the native app. If a user installs the Outlook app (should be the standard I believe, but that's another discussion) than the device needs to be registered with the authentication app and the users receives the MAM policies. Everybody happy this way!
Now for existing enrolled or registered devices it's a bit tricky, because when I had a user to the group that's receiving this new conditional access policies, nothing happens on the device. Only by deleting the existing (mail)account and add it again, the new set of policies are applied.
Can you tell me how I can push the new settings, so everybody will get this new set of policies?
Thanks again!