Create a conditional access policy for Exchange on-premises and legacy Exchange Online Dedicated
This article shows you how to configure conditional access for Exchange on-premises based on device compliance.
If you have an Exchange Online Dedicated environment and need to find out whether it is in the new or the legacy configuration, please contact your account manager. To control email access to Exchange on-premises or to your legacy Exchange Online Dedicated environment, configure conditional access to Exchange on-premises in Intune.
Before you begin
Before you can configure conditional access, verify the following:
Your Exchange version must be Exchange 2010 SP1 or later. Exchange server Client Access Server (CAS) array is supported.
You must use the Exchange Active Sync on-premises Exchange connector, which connects Intune to on-premises Exchange.
The on-premises Exchange connector is specific to your Intune tenant and cannot be used with any other tenant. Intune now supports multiple on-premises Exchange connectors per subscription. If you have more than one on-premises Exchange organization, you can set up a separate connector for each Exchange organization.
The connector for an on-premises Exchange organization can be installed on any machine as long as that machine is able to communicate with the Exchange server.
The connector supports Exchange CAS environment. You can technically install the connector on the Exchange CAS server directly if you wish to, but it is not recommended, as it increases the load on the server. When configuring the connector, you must set it up to communicate to one of the Exchange CAS servers.
Exchange ActiveSync must be configured with certificate-based authentication, or user credential entry.
When conditional access policies are configured and targeted to a user, before a user can connect to their email, the device they use must be:
- Either enrolled with Intune or is a domain joined PC.
- Registered in Azure Active Directory. Additionally, the client Exchange ActiveSync ID must be registered with Azure Active Directory.
Azure AD Device Registration Service (DRS) is activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service do not see registered devices in their on-premises Active Directory. This does not apply to Windows PCs and Windows Phone devices.
Compliant with device compliance policies deployed to that device.
If the device does not meet conditional access settings, the user is presented with one of the following messages when they sign in:
- If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app, enroll the device, and activate email. This process also associates the device's Exchange ActiveSync ID with the device record in Azure Active Directory.
- If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal website, or the Company Portal app where they can find information about the problem and how to remediate it.
Support for mobile devices
- Windows Phone 8.1 and later
- Native email app on iOS.
- EAS mail clients such as Gmail on Android 4 or later.
- EAS mail clients Android work profile devices: Only Gmail and Nine Work for Android Enterprise in the work profile are supported on Android work profile devices. For conditional access to work with Android work profiles, you must deploy an email profile for the Gmail or Nine Work for Android Enterprise app, and also deploy those apps as a required installation.
Microsoft Outlook for Android and iOS is not supported via the Exchange on-premises connector. If you want to leverage Azure Active Directory Conditional Access policies and Intune App Protection Policies with Outlook for iOS and Android for your on-premises mailboxes, please see Using hybrid Modern Authentication with Outlook for iOS and Android.
Support for PCs
The native Mail application on Windows 8.1 and later (when enrolled with Intune)
Configure Exchange on-premises access
Go to the Azure portal, and sign in with your Intune credentials.
Go to Intune > Exchange access, and then select Exchange On-premises access.
On the Exchange on-premises access pane, choose Yes to Enable Exchange on-premises access control.
Choose All services from the left menu, then type Intune in the text box filter.
Choose Intune, you see the Intune Dashboard.
Choose On-premises access. The On-premises access pane shows the status of the conditional access policy and the devices that are affected by it.
Under Manage, choose Exchange on-premises access.
On the Exchange on-premises access pane, choose Yes to enable Exchange on-premises access control.
If you have not configured an Exchange Active Sync on-premises connector, this option is disabled. You must first install and configure at least one connector before enabling conditional access for Exchange on-premises. For more details, see Install the Intune On-premises Exchange Connector
Under Assignment, choose Groups Included. Use the security user group that should have conditional access applied to it. This action would require the users to enroll their devices in Intune and be compliant with the compliance profiles.
If you want to exclude certain groups of users, you can do so by choosing Groups Excluded and selecting a user group that you want to be exempt from requiring device enrollment and compliance.
Under Settings, choose User notifications to modify the default email message. This message is sent to users if their device is not compliant and they want to access Exchange on-premises. The message template uses Markup language. You can also see the preview of how the message looks as you type.
To learn more about Markup language see this Wikipedia article.
On the Advanced Exchange Active Sync access settings pane, set the global default rule for access from devices that are not managed by Intune, and for platform-level rules as described in the next two steps.
For a device that is not affected by conditional access or other rules, you can choose to allow it to access Exchange, or block it.
- When you set this to allow access, all devices are able to access Exchange on-premises immediately. Devices that belong to the users in the Groups Included, are blocked if they are subsequently evaluated as not compliant with the compliant policies or not enrolled in Intune.
- When you set this to block access, all devices are immediately blocked from accessing Exchange on-premises initially. Devices that belong to users in the Groups Included get access once the device is enrolled in Intune and is evaluated as compliant. On Android devices that do not run Samsung Knox standard is always blocked as they do not support this setting.
Under Device platform exceptions, choose Add to specify the platforms. If the unmanaged device access setting is set to blocked, devices that are enrolled and compliant are allowed even if there is a platform exception to block. Choose Ok to save the settings.
On the On-premises pane, click Save to save the conditional access policy.
Create Azure AD Conditional access policies in Intune
Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional Access node accessed from Intune is the same node as accessed from Azure AD.
You need to have an Azure AD Premium license to create Azure AD conditional access policies from the Intune Azure portal.
To create a conditional access policy
In the Intune Dashboard, select Conditional access.
In the Policies pane, select New policy to create your new Azure AD conditional access policy.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.