(Updated) Upcoming Exchange Device Access and Conditional Access changes with Outlook mobile

From Microsoft Corporation

MC216824 · Published Jun 19, 2020 · Last updated Dec 3, 2020

From QuixTec, LLC: about Microsoft Technical Bulletins: The information contained in these technical bulletins are provided ‘unaltered’ from the Microsoft 365 Message center. As an authorized Microsoft Partner, QuixTec’s’ Custom SharePoint Development and Office 365 expertise takes Microsoft notifications into full account throughout initiatives. We tailor your solution according to your corporate style and business requirements and make recommendations based upon our knowledgebase of Microsoft Technologies and technical bulletins. QuixTec’s Microsoft SharePoint development services delivers user-friendly, feature-rich applications. For example: using SharePoint’s flexibility, the solutions we create for you will be intuitive and welcome your users to collaborate and capture crucial information necessary to efficiently complete tasks. (425) 367-9025

Message Summary

Updated December 3, 2020: We have updated the post to extend visibility. There are no changes to the body of the message. Thank you for your patience.

Recently, we discovered that certain Azure Active Directory Conditional Access policies prevented Exchange Online device access rules from being applied to Outlook for iOS and Android. For example, customers with a conditional access policy that required Multi-factor authentication (MFA) resulted in Exchange Online not processing device access rules for Outlook for iOS and Android.

Beginning in August 2020, we will roll out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s device access rules. Specifically, only Conditional Access policies configured with the following grant access controls will prevent Exchange device access rules being applied to Outlook for iOS and Android:

  • Require device to be marked as compliant
  • Require approved client app
  • Require app protection policy

Key Points:

  • Timing: Beginning of August
  • Action: Review and assess organizational impact

How this will affect your organization:

If you are utilizing Conditional Access policies that do not leverage the above grant access controls and have configured the mobile device access level within Exchange Online to either block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented. By default, the mobile device access level in Exchange Online is set to allow.

If you are utilizing Conditional Access policies with the above grant access controls, your users will not be affected.

What you need to do to prepare:

Organizations have a few different options to prepare for this change:

  1. Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android.
  2. Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
  3. Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox.
  4. Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
  5. Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing ‘allowed’ devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

For more information on this change, see Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile.Additional information

QuixTec, LLC is a U.S. certified Veteran Owned, modern DevOps organization that specializes in Microsoft SharePoint, Office 365 & HTML5 technologies for small to enterprise-sized organizations. Richard has 30 years of experience working with several notable companies that include World Vision, Expedia, Microsoft, Levi Strauss, NASA, Boeing Aerospace, Los Alamos National Laboratory and the U.S. Air Force, to name a few. QuixTec is located in the Seattle area. Phone today for a free consultation and project estimate: (425) 367-9025