Intune: If Migrating, Don’t Worry About Those EAS Records

If you have an existing MDM solution and are migrating devices over to Intune, you might notice some EAS records being created. These will be viewable as devices, even if the user did not enroll them into Intune. Sometimes, you’ll see these EAS records being created in Intune for users that have never even installed Company Portal! What is going on here?

The answer can be found in Microsoft’s KB about Intune Conditional Access:

The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune. This process allows or blocks e-mail access.

In other words, the Intune Exchange Connector actively reads the account information of active users, and if any ActivesyncIDs are detected, Intune automatically creates a record for that ID. This happens even if the device has never touched Intune! So if you are migrating users from one MDM environment to Intune (with the Exchange Connector configured), you will most likely see these “ghost” EAS records.

If you are confused because you don’t have conditional access enabled, you aren’t alone. The thing is, this behavior will happen even if conditional access is turned off! Being “disabled” apparently doesn’t mean “completely disabled” to Microsoft.

As long as your conditional access is not enabled though, you don’t need to stress too much:

  • These “ghost” EAS records will only be created for users that have an Intune license associated with their Azure AD account. So plan out your license distribution carefully.
  • If you don’t have conditional access turned on yet, these EAS records will have no impact to the user. Further note on this, you can even delete these records with no impact, but note that Intune will just re-create them again upon another scan.
  • If the user enrolls the EAS device into Intune, it will merge the MDM and EAS records together (provided that the UPN of the user is the same too).


Intune: Using Compliance to Block Console Access

A compromised Office 365 administrator account can cause a lot of havoc within a company’s IT infrastructure. One of the ways Microsoft protects its customers is with compliance policies. Above is what you will see if you try to log into an Office 365 console without meeting compliance.

Within Azure, you can configure compliance and conditional access policies. I won’t go into deep detail about every option, but in general these policies work together to allow/block access based off device type, enrollment, and configurations. For example, you may require that any device that connects to Exchange Online must be marked as compliant within Azure.

If you suddenly are unable to log into Office 365 and get a compliance error, make sure to check your conditional access policies. You can even enable/disable each conditional access policy until you find the one causing your problem.