Upcoming Exchange Device Access and Conditional Access changes with Outlook mobile

Recently, Microsoft discovered that certain Azure Active Directory Conditional Access policies prevented Exchange Online device access rules from being applied to Outlook for iOS and Android.

For example, customers with a conditional access policy that required Multi-factor authentication (MFA) resulted in Exchange Online not processing device access rules for Outlook for iOS and Android.

Beginning in August 2020, Microsoft will roll out changes in Exchange Online to ensure that only certain Conditional Access policies bypass Exchange’s device access rules. Specifically, only Conditional Access policies configured with the following grant access controls will prevent Exchange device access rules being applied to Outlook for iOS and Android:

Require device to be marked as compliant
Require approved client app
Require app protection policy

Key Points:

Timing: Beginning of August
Action: Review and assess organizational impact

How this will affect your organization:

If you are utilizing Conditional Access policies that do not leverage the above grant access controls and have configured the mobile device access level within Exchange Online to either block or quarantine devices, users using Outlook for iOS and Android will be blocked or quarantined by Exchange Online after this change is implemented.

By default, the mobile device access level in Exchange Online is set to allow.

If you are using Conditional Access policies with the above grant access controls, your users will not be affected.

What you need to do to prepare:

Organizations have a few different options to prepare for this change:

Implement Microsoft Endpoint Manager and one of the above grant access controls. For more information, see Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android.
Create an Exchange Online device access rule that allows Outlook for iOS and Android. For more information, see Block all email apps except Outlook for iOS and Android.
Manually add the user’s Outlook for iOS and Android Device ID to the user’s ActiveSyncAllowedDeviceIDs property. To obtain the Device ID, use Get-MobileDeviceStatistics. To add the Device ID to the user’s ActiveSyncAllowedDeviceIDs property, see Set-CASMailbox.
Change the default access level to Allow. For more information, see Set-ActiveSyncOrganizationSettings. This change allows all mobile devices, regardless of type, to connect.
Alternatively, organizations can retain their default mobile device access level and wait for this change to take place and manually allow each device as they are quarantined/blocked.

Important: Because Outlook for iOS and Android’s device IDs are not governed by any physical device ID, the ID can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing ‘allowed’ devices may be unexpectedly blocked or quarantined by Exchange. Therefore, Microsoft recommends administrators only set mobile device access policies for Outlook for iOS and Android that allow/block devices based on device type or device model.

Source

https://techcommunity.microsoft.com/t5/exchange-team-blog/upcoming-exchange-online-device-access-and-conditional-access/ba-p/1464261

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
ApplicationGatewayAffinityCORS	session	No description available.
CLID	1 year	No description
GoogleAdServingTest	session	No description
LiSESSIONID	session	No description available.
LithiumUserInfo	past	No description
LithiumUserSecure	past	No description
LithiumVisitor	1 year	No description available.
original_req_url	past	No description
SM	session	No description available.
SRM_B	1 year 24 days	No description available.

Upcoming Exchange Device Access and Conditional Access changes with Outlook mobile

Upcoming Exchange Device Access and Conditional Access changes with Outlook mobile

Source

No Comments

Add your comment Cancel reply

Thibault CHÂTIRON

Follow Blog via Email

Recent Posts

Categories

Archives