Account setup in Outlook for iOS and Android using Basic authentication
Outlook for iOS and Android offers Exchange administrators the ability to "push" account configurations to their on-premises users who use Basic authentication with the ActiveSync protocol. This capability works with any Unified Endpoint Management (UEM) provider who uses the Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android.
For on-premises users enrolled in Microsoft Intune, you can deploy the account configuration settings using Intune in the Azure portal.
Once an account configuration is created and the user enrolls their device, Outlook for iOS and Android detects that an account is "Found" and prompts the user to add the account. The only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox content loads and the user can begin using the app.
The following images show an example of the end-user setup process after Outlook for iOS and Android was configured in Intune.
Create an app configuration policy for Outlook for iOS and Android using Microsoft Intune
If you're using Microsoft Intune as your mobile device management provider, the following steps allow you to deploy account configuration settings for your on-premises mailboxes that use basic authentication with the ActiveSync protocol. Once the configuration is created, you can assign the settings to groups of users, as detailed in the next section, Assign configuration settings.
Note
If users in your organization use both iOS and Android for Work devices, you'll need to create a separate app configuration policy for each platform.
In the Microsoft Intune admin center at https://intune.microsoft.com, select Apps > Policy section > App configuration policies. Or, to go directly to the App configuration policies page, use https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/appConfig.
On the App Configuration policies page, select Add > Managed devices to start the app configuration policy wizard.
On the Basics tab of the Create app configuration policy page that opens, configure the following settings:
Name: Enter a unique, descriptive name.
Description: Enter an optional description for the app configuration settings.
Platform: Select" iOS/iPadOS or Android Enterprise.
Targeted app: Select Select app. In the Associated app flyout that opens, select Outlook.
Tip
If Outlook isn't listed as an available app, add it by following the instructions in Add Android store apps to Microsoft Intune and How to add iOS store apps to Microsoft Intune.
When you're finished on the Associated app flyout, select OK to return to the Basics tab of the Create app configuration policy page.
When you're finished on the Basics tab, select Next.
Note
If Outlook is not listed as an available app, then you must add it by following the instructions in Add Android store apps to Microsoft Intune and How to add iOS store apps to Microsoft Intune.
On the Settings tab, configure the following settings:
- Email account configuration section: Configure the following settings:
- Configuration settings section
- Configuration settings format: Select Use configuration designer. This selection causes many more settings to appear. The key value pairs used in this section are defined in the section Key value pairs.
- Email account configuration section:
- Configure email account settings: Select Yes to deploy account setup configuration:
- Authentication type: Select Basic authentication. This value is required for on-premises accounts that don't use hybrid modern authentication.
- Username attribute from Microsoft Entra ID: Select one of the following values:
- User Principal Name
- sAMAccountName: This value requires the NetBIOS domain name in the Account domain field.
- Email address attribute from Microsoft Entra ID: Select Primary SMTP Address.
- Email server: Enter the Exchange ActiveSync externally accessible domain name.
- Email account name: Enter a descriptive value for the account.
- Configuration settings section
- General app configuration section: If you want to deploy general app configuration settings, configure the desired settings accordingly:
Focused Inbox: Select one of the following values:
- Not configured (default)
- On (app default)
- Off
Require Biometrics to access the app: Select one of the following values:
Not configured (default)
On
Off (app default)
The values On or Off activate the Allow user to change setting option:
- Select Yes (app default) to allow the user to change the setting.
- Select No to prevent users from changing the setting. This setting is only available in Outlook for iOS.
Save Contacts: Select one of the following values:
Not configured (default)
On
Off (app default)
The values On or Off active the Allow user to change setting option:
- Select Yes (app default) to allow the user to change the setting.
- Select No to prevent users from changing the setting.
Default app signature: Select one of the following values:
- Not configured (default)
- On (app default)
- Off
Block external images: Select one of the following values:
Not configured (default)
On
Off (app default)
The values On or Off active the Allow user to change setting option:
- Select Yes (app default) to allow the user to change the setting.
- Select No to prevent users from changing the setting.
Organize mail by thread: Select one of the following values:
- Not configured (default)
- On (app default)
- Off
When you're finished on the Settings tab, select Next.
- Email account configuration section: Configure the following settings:
On the Assignments tab, select who the policy applies to. You assign the settings to groups of users in Microsoft Entra ID. When a user has the Microsoft Outlook app installed, the app is managed by the settings you configured.
Included groups section: Select and configure one of the following options:
- Add groups
- Add all users
- Add all devices
Excluded groups section: Select Add groups to exclude groups from the policy.
Tip
You can't mix user groups and device groups to include and exclude.
When you're finished on the Assignments tab, select Next.
On the Review + create tab, review your selections.
Select Previous or use the tabs to go back and make changes.
When you're finished on the Review + create tab, select Create
Back on the App configuration policies page, the newly created configuration policy is displayed.
Assign configuration settings
You assign the settings to groups of users in Microsoft Entra ID. When a user has the Microsoft Outlook app installed, the app is managed by the settings you have specified.
On the App configuration policies page at https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/appConfig, select the policy from the list by clicking on the Name value.
In the policy details page that opens, select Properties from the Manage section.
On the Properties page that opens, select Edit in the Assignments section.
On the Assignments tab of the Edit app configuration policy page that opens, configure the following settings:
Included groups section: Select and configure one of the following options:
- Add groups
- Add all users
- Add all devices
Excluded groups section: Select Add groups to exclude groups from the policy.
Tip
You can't mix user groups and device groups to include and exclude.
When you're finished on the Assignments tab, select Review + save.
Key value pairs
When you create an app configuration policy in the Azure portal or through your UEM provider, you need the following key value pairs:
| Key | Values |
|---|---|
| com.microsoft.outlook.EmailProfile.EmailAccountName | This value specifies the display name email account as it appears to users on their devices. Value type: String Accepted values: Display Name Default if not specified: <blank> Required: Yes Example: user Intune Token*: {{username}} |
| com.microsoft.outlook.EmailProfile.EmailAddress | This value specifies the email address to be used for sending and receiving mail. Value type: String Accepted values: Email address Default if not specified: <blank> Required: Yes Example: user@contoso.com Intune Token*: {{mail}} |
| com.microsoft.outlook.EmailProfile.EmailUPN | This value specifies the User Principal Name or username for the email profile that's used to authenticate the account. Value type: String Accepted values: UPN Address or username Default if not specified: <blank> Required: Yes Example: userupn@contoso.com Intune Token*: {{userprincipalname}} |
| com.microsoft.outlook.EmailProfile.ServerAuthentication | This value specifies the authentication method for the user. Value type: String Accepted values: 'Username and Password' Default if not specified: 'Username and Password' Required: No Example: 'Username and Password' |
| com.microsoft.outlook.EmailProfile.ServerHostName | This value specifies the host name of your Exchange server. Value type: String Accepted values: ActiveSync FQDN Default if not specified: <blank> Required: Yes Example: mail.contoso.com |
| com.microsoft.outlook.EmailProfile.AccountDomain | This value specifies the user's account domain. Value type: String Accepted values: Domain Default if not specified: <blank> Required: No Example: contoso |
| com.microsoft.outlook.EmailProfile.AccountType | This value specifies the account type being configured based on the authentication model. Value type: String Accepted values: BasicAuth Default if not specified: BasicAuth Required: No Example: BasicAuth |
* Microsoft Intune users can use tokens that will expand to the correct value according to the enrolled user. See Add app configuration policies for managed iOS devices for more information.