How to configure email settings in Microsoft Intune

Email profiles can be used to configure devices you manage with the settings necessary to connect to and synchronize with company email. This can help ensure that settings are standard across all of your devices, and also help to reduce support calls from end users who do not know the correct email settings.

The built-in mail client is supported for most platforms. Most third-party email apps are not currently supported.

You can use email profiles to configure the native email client on the following device types:

  • Android Samsung Knox Standard 4.0 and later
  • Android work profile devices
  • iOS 8.0 and later
  • Windows Phone 8.1 and later
  • Windows 10 (desktop) and Windows 10 Mobile

Use the information in this article to learn the basics about configuring an email profile, and then read further topics for each platform to learn about device specifics.

Create a device profile containing email settings

  1. Sign into the Azure portal.
  2. Choose All services > Intune. Intune is located in the Monitoring + Management section.
  3. On the Intune pane, choose Device configuration.
  4. On the Device configuration pane under the Manage section, choose Profiles.
  5. On the profiles pane, choose Create profile.
  6. On the Create profile pane, enter a Name and Description for the email profile.
  7. From the Platform drop-down list, select the device platform to which you want to apply email settings. Currently, you can choose one of the following platforms for email device settings:
    • Android (Samsung Android Knox Standard only)
    • Android enterprise
    • iOS
    • macOS
    • Windows Phone 8.1
    • Windows 8.1 and later
    • Windows 10 and later
  8. From the Profile type drop-down list, choose Email.
  9. Depending on the platform you chose, the settings you can configure are different. Go to one of the following topics for detailed settings for each platform:
  10. When you're done, go back to the Create profile pane, and hit Create.

The profile will be created and appears on the profiles list pane. If you want to go ahead and assign this profile to groups, see How to assign device profiles.

Further information

Remove an email profile

If you want to remove an email profile from a device, edit the assignment and remove any groups of which the device is a member. You cannot remove an email profile in this way if it is the only email profile on a device.

Securing email access

You can help secure email profiles using one of two methods:

  1. Certificates - When you create the email profile, you choose a certificate profile that you have previously created in Intune. This is known as the identity certificate, and is used to authenticate against a trusted certificate profile (or a root certificate) to establish that the user’s device is allowed to connect. The trusted certificate is assigned to the computer that authenticates the email connection, typically, the native mail server. For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Intune.
  2. User name and password - The user authenticates to the native mail server by providing their user name and password. The password is not contained in the email profile, so the user needs to supply this when they connect to email.

How Intune handles existing email accounts

If the user has already configured an email account, the result of the Intune email profile assignment depends on the device platform:

  • iOS: An existing, duplicate email profile is detected based on host name and email address. The duplicate email profile blocks the assignment of an Intune profile. In this case, the Company Portal informs the user that they are not compliant and prompts the user to remove the manually configured profile. To help prevent this problem, instruct your users to enroll before installing an email profile, which allows Intune to set up the profile.
  • Windows: An existing, duplicate email profile is detected based on host name and email address. Intune overwrites the existing email profile created by the user.
  • Android Samsung Knox Standard An existing, duplicate email profile is detected based on the email address, and overwrites it with the Intune profile. Since Android does not use host name to identify the profile, we recommend that you not create multiple email profiles to use on the same email address on different hosts, as these overwrite each other.
  • Android work profiles Intune provides two Android work profile email profiles, one for each of the Gmail and Nine Work email apps. These apps are available in the Google Play Store, and install in the device work profile, so they can't result in duplicate profiles. Both apps support connections to Exchange. To enable the email connectivity, deploy one of these email apps to your users' devices, and then create and deploy the appropriate email profile. Email apps such as Nine Work might not be free. Review the app’s licensing details or contact the app company with any questions.

Update an email profile

If you make changes to an email profile you previously assigned, end users might see a message asking them to approve the reconfiguration of their email settings.