In this part of the series around using both Device and App Conditional Access for securing Exchange Online I’m focusing on providing a user self-service solution to choose between ActiveSync or MAM Managed Exchange Online access. In the first part of the series I focused on securing Exchange Online Browser and ActiveSync access and in the second part I focused on securing App access to Exchange Online. After both blogposts the conclusion was that Device and App Conditional Access cannot co-exists in the scenario where we want to secure ActiveSync connections and provide Outlook App access to not-MDM enrolled mobile devices. Based on the tests and the documentation the user need to choose between using ActiveSync or using the Outlook App (not-enrolled). In this blogpost I want to share a solution where the user can choose between the scenarios using self-service.

Before we can configure this scenario we need to define a default scenario for all users. The solution will give the user the possibility to choose to override this and configure the other scenario. You’ve to choose between the following scenarios:

1. Give users the possibility to configure the Outlook App on both MDM enrolled and not-MDM enrolled devices and block ActiveSync connections to Exchange Online;
2. Give users the possibility to configure the Outlook App and ActiveSync connections on MDM enrolled devices. Non-MDM enrolled devices will not have access to Exchange Online.

I prefer option 1 because in that scenario we can enforce MAM policies through Intune on the use of the Outlook App. If users cannot work with this default scenario they could activate scenario 2 but then the user need to enroll his devices to Intune. So I’m starting with configuring the first scenario as my standard configuration:

1. Open the Azure portal (https://portal.azure.com) and open Intune App Protection;
2. Go to the App Policy section and check if you’ve configured a MAM policy for the supported mobile platforms iOS and Android. Check if in this policies the Outlook app is check as Targeted Apps:
   

3. Now go to the Conditional Access section in Intune App Protections and active the setting Allow apps that support Intune App policies and click on Save

   

4. In the restricted user groups setting configure a group with all your users:

   

Now scenario 1 is configured for all users and enforced on all users. Next step is to focus on providing a self-service solution for users to switch from scenario 1 to scenario 2.

1. The first step is to enable AzureAD Group Self-service within AzureAD. Go to Group Settings and configure the settings below:
   

2. Next step is to create an Azure AD Group in the Azure AD section of the portal and add your admin account as owner;

   

   Add Owner:

   

3. Next step is to configure the approval settings of the Azure AD Group. When logged in as owner go to https://myapps.microsoft.com and go the properties of the group. Click on Edit Details:

   

4. Based on your requirements choose the right approval level and save the group:

   

5. Now we have configured this group so that users can add themselves to the group. Next step is to add this group to the excluded groups in the App Conditional Access. Go to the Intune App Protection section in the Azure Portal and open the Exchange Online Conditional Access Policies. Add the group to the Exempt user groups.

   

With this configuration the users member of this group will be exempt from App Conditional Access. But since we’ve still configured Devices Conditional access from part 1 of this blogpost the users still needs to enroll his devices. Now let’s check how this process is for the user:

First the user receives a message to enroll his device to use ActiveSync:

After the enrollment the user is forced to use the Outlook App:

So this was expected behavior, now let’s go https://myapps.microsoft.com and add this use to the Exempt group. Search for the group and click on Join Group:

Enter a Business Justification and click on Request:

And after the processing the user will be approved and added to the group:

When we now go back to the phone ActiveSync should start to work:

And as final test the user can remove himself from the group:

And then the Intune App Conditional Access will be enforced automatically (note this can take some time, in my case 4 hours):