Does Conditional Access policy make changes Device access policy or Exchange with CA is fragile?

Koji Uchida 21 Reputation points
2020-05-07T10:04:53.163+00:00

Hi folks,

A couple days ago, all our tenant users who are using Outlook mobile iOS/Android app were blocked connecting to Exchange server suddenly.
As a admin, I looked into this issue and found some facts.

  • Our tenant has been ActiveSync disabled.
  • Mobile Device is in compliance in MDM
  • Teams and SharePoint can be accessed on the same device.
  • The problem is that the target is only Exchange from Outlook mobile app.
  • Most of users who suffered from this incident suddenly received a notification mail about this.
    It was saying "Your device has been denied access to the server via Exchange ActiveSync because of server policies".
    But our tenant has disable ActiveSync since 2 years ago...

Even though all conditional access policies are excluded, Outlook mobile app is still blocked.
However I found a work-around. when I add a conditional access policy which explicitly permits to access exchange from iOS device without compliant state, Outlook mobile app can be connected.
Further more, If I additionally put a device state condition requirement, it's blocked again.

Therefore, I am guessing that Conditional Access policy for Exchange cannot handle device state correctly somehow.
However, as a rule, we would need to restrict device state of mobile device.

Does anyone know what's happening in my tenant? Any advice would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,971 Reputation points MVP
    2020-05-26T19:32:51.907+00:00

    Hello @Koji Uchida ,

    I suspect the root cause of the issue is some active sync policies pushed from your Mobile device management solution in a wrong way.

    Find ActiveSync settings of any mailbox and verify the policy applied on it through PowerShell cmdlets as below: 

    Get-CASMailbox -Identity 'MailboxName' | fl ActiveSyncBlockedDeviceIDs, ActiveSyncMailboxPolicy

    Now, set the policy disabled 

    Set-CASMailbox 'MailboxName' -ActiveSyncBlockedDeviceIDs $null

    Verify that it is applied (run the first command again)

    Now the device will be able to access the broken functionalities

    Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

    Regards,

    Manu

    0 comments