question

David-1015 avatar image
0 Votes"
David-1015 asked LuDaiMSFT-0289 commented

Conditional Access - MaM-WE - Users without Intune license can access corporate emails

Hi everyone,

I am getting a bit confused about Conditional Access in the context of Intune MaM Without Enrollment.
Our employees use their own mobile phones (BYOD). Once users are assigned to a group that is targeted by the Intune license (E5), they are (after a while)
blocked from accessing emails with other apps than Outlook mobile, which is fine.

However, users not having an Intune license/not being part of this group for this purpose, can still access corporate emails via other apps.

How can I prevent access to corporate emails with other apps by default? Meaning that employees will only access them when they are "compliant" with Intune MaM-WE.
This could lead to a scenario where an employee not in being in the group (by mistake) use another email mobile app without us knowing and not benefit from our policies.

Any help with this?

Thank you very much.

azure-ad-conditional-accessmem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

David-1015 avatar image
0 Votes"
David-1015 answered LuDaiMSFT-0289 commented

Hi LuDaiMSFT, thank you very much for your help.

I fixed my issue last week by:
- creating a first policy to block all cloud apps (exclusion set on 365 apps only)
- creating a second policy to require MFA and app protection

All working now.


Thank you very much



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@David-1015 You're welcome. I'm glad to hear that it works well. If you have any issue in the future, welcome to post in our Q&A.

Thanks and have a nice day. : )

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Without knowing your full config, not much can truly be said here other than the issue is not Intune licensing as CA is not even a feature of Intune, it's a feature of AAD. I suspect that you are creating your rules backwards where you are allowing by default but should instead be blocking by default but as noted, with in depth or hand on analysis of your rules, that's just a guess and nothing more can be said.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered LuDaiMSFT-0289 commented

CA is also not designed to be app specific either as CA is a gate on authentication to AAD.

But, as noted, without seeing the entire configuration I can only guess as to how you have things misconfigured, but it is probably a combination of what I noted above (allowing implicitly instead of blocking implicitly) and using the approved clients apps setting (which we generally discourage).

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jason,


thank you very much for your answer. I understand the segregation between CA and Intune. I am now wondering how to make CA understand that we only want employees to access their emails via Outlook mobile app if and only if the device has been registered with MaM-WE. I can see in CA that a grant policy relies on the device being compliant, however it seems to be applicable to managed devices, and thus by MdM.

Any more details on this please?

Thank you.

0 Votes 0 ·

That makes sense. So ideally, I'd need to create (via the Endpoint Manager) a first policy to block any access to all users (for mobile access only) and then a second policy to allow only if devices use the Oultook app (+ MFA + Approved client app). I guess the policies order matters?

Thank you.

0 Votes 0 ·

Thank you Jason. After reading more tutorials on this link, I have created a "block all" policy as the following:
- Users and groups -> only my user
- Cloud apps: include all, exclude Office 365 apps
- Device platforms: include Android and iOS
- Locations: Include any locations
- Clients apps: mobile apps
- Block access: checked nothing and clicked 'Select'

I was expecting my user to be prevented from accessing my corporate emails via any other mail app than Outlook mobile. It didn't work.
This time I kept in mind that I block everything by default while only allowing when using 365 apps.

Any suggestion on why it didn't work?



0 Votes 0 ·

@David-1015 From your description, did you mean that you want to only use Outlook app to access emails? If there is anything misunderstanding, please correct me.

Based on my research, I find that we can block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online via contional access. When using a native e-mail app, we will be redirected to install the Outlook app.
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune#how-app-based-conditional-access-works

It is suggested to try to do the following action:
1.Please create an app protection policy and add Outlook as a protected app.
2.Then configure "Require approved client app" and "Require app protection policy" in conditional access policy.
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

Hope it will help.

0 Votes 0 ·