Use conditional access with Microsoft Intune

This solution lets you use conditional access in Intune to help secure email and other services depending on conditions you specify.

See Restrict access to email and O365 services with Microsoft Intune for more information about how you can use the conditional access feature with Intune.

Tip

Get a downloadable copy of this entire topic at the TechNet Gallery.

Before you begin

You can control access to Exchange Online and Exchange on-premises from the following mail apps:

  • The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later

  • The built-in app for iOS 7.1 and later

  • The built-in app for Windows Phone 8.1 and later

  • The mail application on Windows 8.1 and later

  • The Microsoft Outlook app for Android and iOS (for Exchange Online only)

Before you start using conditional access, ensure that you have the correct requirements in place.

For Exchange Online

Conditional access to Exchange Online supports devices that run:

  • Windows 8.1 and later (when enrolled with Intune)

  • Windows 7.0 or later (when domain joined)

  • Windows Phone 8.1 and later

  • iOS 7.1 and later

  • Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally, devices must be registered with the Azure Active Directory Device Registration Service (AAD DRS).

AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.

  • You must use an Office 365 subscription that includes Exchange Online (such as E3) and users must be licensed for Exchange Online.

  • The optional Microsoft Intune service to service connector connects Intune to Microsoft Exchange Online and helps you manage device information through the Intune console (see Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need to use the connector to use compliance policies or conditional access policies, but is required to run reports that help evaluate the impact of conditional access.

    If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the Office console but are not set as default policies and do not affect devices.

    Important

    Do not configure the service to service connector if you intend to use conditional access for both Exchange Online and Exchange on-premises.

    Now you are ready to learn how to deploy Exchange Online with Intune.

For Exchange Server on-premises

Conditional access to Exchange on-premises supports:

  • Windows 8 and later (when enrolled with Intune)

  • Windows Phone 8 and later

  • Any iOS device that uses an Exchange ActiveSync (EAS) email client

  • Android 4 and later

Additionally:

  • Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server (CAS) configuration is supported.

    Tip

    If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector to point to any one of the CAS servers.

  • Exchange ActiveSync can be configured with certificate based authentication, or user credential entry.

  • You must use the on-premises Exchange connector which connects Intune to Microsoft Exchange Server on-premises. This lets you manage devices through the Intune console (see Mobile device management with Exchange ActiveSync and Microsoft Intune).

    Important

    Make sure that you are using the latest version of the on-premises Exchange connector. The on-premise Exchange connector available to you in the Intune console is specific to your Intune tenant and cannot be used with any other tenant. You should also ensure that the exchange connector for your tenant is installed on exactly one machine and not on multiple machines.

    Now you are ready to learn how to deploy Exchange Server on-premises with Intune.