The last couple of weeks I had the privilege to test a feature that has just has been announced today to be released to Microsoft Intune . Conditional access to Outlook Web App and SharePoint Online web access for mobile devices. (CA for web services like OWA and SharePoint for Windows (mobile and PC) is coming up and still in preview)
So basically when a device is not enrolled and / or not compliant Outlook Web App or SharePoint Online web access cannot be accessed via browsers on those devices. Until now this was a major hole in the conditional access story of Exchange Online and SharePoint Online.
So what is the story?
By enabling the new Conditional Access Features in the Exchange Online SharePoint Online Conditional Access policies you are able to block browser access to the service when a device is not enrolled or two enrolled but not compliant.
Let’s see how this looks like for Exchange Online. So let’s first enable the option Block non-compliant devices on the same platform as Outlook like shown below.
For Android devices you to go in to the Company Portal to enable Browser Access, this option installs the Work Account certificate on the device. Thus this is only needed for Android, you need to do this otherwise you will be bothered with certificate messages while accessing the web services that are now controlled by conditional access of Intune.
Note: would be nice that an Intune Admin is able to force the installation of the Microsoft Work Account automatically, or that the cert is installed automatically when the service is configured.
After enabling this feature we will see a message appearing when accessing http://outlook.office.com via for instance Google Chrome on an Android device that is not enrolled or not compliant a message Your organization needs you to beef up your security is shown. Notice that while trying to get access the browser is redirected to https://device.login.microsoftonline.com to check in Azure AD if the device is enrolled and compliant.
After enrolling the device or making sure that the device is compliant according your compliance policies you will have access to in this case Outlook Web App.
Enabling Conditional Access for SharePoint Online works the same way, easy to configure (like shown below) and the user experience is the same way.
Conditional access for browsers is available for the following browsers, other browsers will be blocked.
- Safari (iOS)
- Chrome (Android)
When protecting data the next step is to force that the Managed Browser is used to access the web services, since the Managed Browser can also be managed via the Mobile Application Management policies. Forcing traffic coming from the Managed Browser can be done for instance using Active Directory Federation Services and only allowing the Managed Browser to be used while accessing Outlook Web App and SharePoint Online web access. More on this in a later blog which is coming up tomorrow. 🙂
Only strange that the Intune Managed Browser is not supported in the Conditional Access scenario or is this supported?
Would be nice if CA for W7/8.1/10 Desktop and W8.1/10 Mobile is coming back soon!
Hopefully with some extra options for exclusions like with external IP.
While testing this earlier when the CA for Windows was available in my tenant it blocked all access from Citrix if I enabled CA for Windows. Srv2012 Citrix servers are not able to AAD DRS join, so are never complaint and for VDI this is also a bit hard if it is a non persistent VDI to auto register in Azure AD.
And how do you see this for external contractor’s?
They do need to enroll their own device/get a device from the company if CA for all OSs would be enabled.
Hopefully we get some more configuration options for all the scenario’s.