question

KojiUchida-8172 avatar image
0 Votes"
KojiUchida-8172 asked ·

Does Conditional Access policy make changes Device access policy or Exchange with CA is fragile?


Hi folks,

A couple days ago, all our tenant users who are using Outlook mobile iOS/Android app were blocked connecting to Exchange server suddenly.
As a admin, I looked into this issue and found some facts.

  • Our tenant has been ActiveSync disabled.

  • Mobile Device is in compliance in MDM

  • Teams and SharePoint can be accessed on the same device.

  • The problem is that the target is only Exchange from Outlook mobile app.

  • Most of users who suffered from this incident suddenly received a notification mail about this.
    It was saying "Your device has been denied access to the server via Exchange ActiveSync because of server policies".
    But our tenant has disable ActiveSync since 2 years ago...

Even though all conditional access policies are excluded, Outlook mobile app is still blocked.
However I found a work-around. when I add a conditional access policy which explicitly permits to access exchange from iOS device without compliant state, Outlook mobile app can be connected.
Further more, If I additionally put a device state condition requirement, it's blocked again.

Therefore, I am guessing that Conditional Access policy for Exchange cannot handle device state correctly somehow.
However, as a rule, we would need to restrict device state of mobile device.

Does anyone know what's happening in my tenant? Any advice would be greatly appreciated.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ManuPhilip avatar image
0 Votes"
ManuPhilip answered ·

Hello @KojiUchida-8172,

I suspect the root cause of the issue is some active sync policies pushed from your Mobile device management solution in a wrong way.

Find ActiveSync settings of any mailbox and verify the policy applied on it through PowerShell cmdlets as below:

 Get-CASMailbox -Identity 'MailboxName' | fl ActiveSyncBlockedDeviceIDs, ActiveSyncMailboxPolicy

Now, set the policy disabled

 Set-CASMailbox 'MailboxName' -ActiveSyncBlockedDeviceIDs $null

Verify that it is applied (run the first command again)

Now the device will be able to access the broken functionalities


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.