Intune: How On-Premise Exchange Conditional Access Can Work


When controlling access to Exchange email, there are generally two ways to go about it:

  • You can allow all devices and then block them after evaluating them.
  • You can block/quarantine all devices and then allow them after evaluating them.

The second option is more secure because access to email is not granted until the user’s device is deemed compliant. Both options are enforced through Exchange Activesync Settings, commonly known as ABQ:

How are these concepts implemented in Intune? Well, although there are multiple ways to go about this, Microsoft has documented their suggested process. Let’s cover those steps.

Steps 1-3: Getting Blocked

According to Microsoft, the suggested method is to actually become quarantined/blocked on purpose. When that happens, an EAS record will be created in Intune automatically, and the Exchange server will send a notification to the user. This notification can be customized to include steps on how to enroll the device into Intune for management. Below is what the automated email could look like.

Steps 4-8: Enrollment

After getting the blocked email and following the customized instructions, the user will then be able to go through the enrollment process. For iOS and Android devices, that means downloading the Intune Company Portal app, and then authenticating with an Azure AD Account that has an Intune license applied to it. Once the user’s subscription is verified, a trust will be established between the device and the Intune servers. Once the trust is established, then the device is managed by Intune. On the backend, Intune will take the already-blocked EAS record, and merge it with a now-compliant MDM record.

Steps 9-10: Exchange Conditional Access

Intune will check all enrolled devices on a timed interval, and allow any that are compliant to access email. The interval is around 15 minutes supposedly, but this information is not made public. In order to allow a device, Intune connects to the on-premise Exchange servers via Intune Exchange Connector. Once the connection is established, powershell cmdlets are run to mark the EAS device ID as “allowed” and thus able to access Exchange email.

Alternative process

Although above is the process that Microsoft has documented, note that it is not the only way to implement access control in a corporate environment. Another process would be to have users enroll before being blocked. That way, they never get a “blocked” email, which can be confusing to some. Once enrolled and compliant, the Intune Exchange Connector can allow the EAS ID, and the user will be able to access email on their mobile device.

Leave a Reply

Your email address will not be published. Required fields are marked *