Protect Office 365 Exchange Online without requiring device management

If you want to give employees access to their work email without the overhead of setting up a device management system, you can. You can give access to Office 365 Exchange Online through Intune. To complete the necessary steps, confirm you have licenses for Microsoft 365, or Azure Active Directory (premium) and Intune. Employees need to have a supported iOS or Android device.

If you decide to set up a device management system, you can. This type of app protection works independently of device management.

Action plan

  1. Learn about conditional access.
  2. Learn about app-based conditional access.
  3. Set up app-based conditional access policies for Exchange Online.
  4. Block apps that cannot be managed, specifically apps that do not use the Azure Active Directory Authentication Library (ADAL).
  5. (Optional) Set up app-based conditional access policies for SharePoint Online. These policies block access to your company data from apps that cannot be managed and secured. The policies also limit access through SharePoint mobile.

What to tell employees and students

  • Ask your employees and students to download and install Microsoft Outlook or Microsoft SharePoint for iOS from the Apple App Store or for Android from the Google Play Store.
  • If you block access to apps that do not use modern authentication, let the employees and students know of this restriction.

Next steps

You have used app-based conditional access to increase the security of company data. As part of next steps, you can learn more about the other ways you can increase the protection of your company's data, including:

Want help enabling this or other EMS or Office 365 scenarios? If you have at least 150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory Premium, use your FastTrack benefits.