This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 13%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hi everyone,
I am getting a bit confused about Conditional Access in the context of Intune MaM Without Enrollment.
Our employees use their own mobile phones (BYOD). Once users are assigned to a group that is targeted by the Intune license (E5), they are (after a while)
blocked from accessing emails with other apps than Outlook mobile, which is fine.
However, users not having an Intune license/not being part of this group for this purpose, can still access corporate emails via other apps.
How can I prevent access to corporate emails with other apps by default? Meaning that employees will only access them when they are "compliant" with Intune MaM-WE.
This could lead to a scenario where an employee not in being in the group (by mistake) use another email mobile app without us knowing and not benefit from our policies.
Any help with this?
Thank you very much.
Hi LuDaiMSFT, thank you very much for your help.
I fixed my issue last week by:
All working now.
Thank you very much
@David You're welcome. I'm glad to hear that it works well. If you have any issue in the future, welcome to post in our Q&A.
Thanks and have a nice day. : )
Without knowing your full config, not much can truly be said here other than the issue is not Intune licensing as CA is not even a feature of Intune, it's a feature of AAD. I suspect that you are creating your rules backwards where you are allowing by default but should instead be blocking by default but as noted, with in depth or hand on analysis of your rules, that's just a guess and nothing more can be said.
CA is also not designed to be app specific either as CA is a gate on authentication to AAD.
But, as noted, without seeing the entire configuration I can only guess as to how you have things misconfigured, but it is probably a combination of what I noted above (allowing implicitly instead of blocking implicitly) and using the approved clients apps setting (which we generally discourage).
Hi Jason,
thank you very much for your answer. I understand the segregation between CA and Intune. I am now wondering how to make CA understand that we only want employees to access their emails via Outlook mobile app if and only if the device has been registered with MaM-WE. I can see in CA that a grant policy relies on the device being compliant, however it seems to be applicable to managed devices, and thus by MdM.
Any more details on this please?
Thank you.
That makes sense. So ideally, I'd need to create (via the Endpoint Manager) a first policy to block any access to all users (for mobile access only) and then a second policy to allow only if devices use the Oultook app (+ MFA + Approved client app). I guess the policies order matters?
Thank you.
Here's a great place to start: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common
Thank you Jason. After reading more tutorials on this link, I have created a "block all" policy as the following:
I was expecting my user to be prevented from accessing my corporate emails via any other mail app than Outlook mobile. It didn't work.
This time I kept in mind that I block everything by default while only allowing when using 365 apps.
Any suggestion on why it didn't work?
@David From your description, did you mean that you want to only use Outlook app to access emails? If there is anything misunderstanding, please correct me.
Based on my research, I find that we can block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online via contional access. When using a native e-mail app, we will be redirected to install the Outlook app.
https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune#how-app-based-conditional-access-works
It is suggested to try to do the following action:
Hope it will help.