Scenario: Using both Intune Device and App Based Conditional Access – conclusion


Last week I visited IT/DEV Connections in San Francisco.  During this week I visited some great sessions and I talked to some great people. During the last day I visited the sessions of Simon May (PM within the Intune team of Microsoft). I discussed the Conditional Access scenario where I wanted to combine both App and Device Based Conditional Access. During this discussion we together both concluded that this scenario must now be possible. With this blogpost I want to provide an update on this scenario.

Basically the scenarios I wanted to achieve was the following:

  1. Users can only use MAM capable apps for accessing Office365 services when the device is not enrolled and managed with Intune.
  2. Users can use both Inbox Apps (ActiveSync) and MAM capable apps for accessing Office365 services when the device is enrolled and managed with Intune.

The user should be able to use both scenarios on different devices. When I tested this scenario for the first time it was not possible to use both App and Device Based Conditional Access together. So I was not able to achieve the scenario without additional configuration. You can read my results in these blogposts: Part 1, Part 2 and Part 3.

So with this blogpost I want to check if it’s possible to configure this with the current AzureAD Conditional Access policies. The ‘Require approved client app’ functionality which is in preview should make the difference compared to my earlier tests. So let’s configure the policy in the Azure portal:

  1. First disable the ‘old’ App Based Conditional Access policies if enabled in the Intune App Protection section.
  2. Now go to the Azure Active Directory section within the Azure Portal and go to Conditional Access.
  3. Edit the Conditional Access policy which has the condition Client Apps > Mobile Apps and Desktop Clients. Enable in Access Control section the preview feature: Require approved client app (preview) and check if the option: Require one of the selected controls is selected:
  4. Save the policy.

Now it’s time to test both of the scenarios:

Use Office365 Exchange Online with MAM capable apps without enrolling the Device:

Active Sync:

After configuring the Android MailApp with my ActiveSync no mail is arriving and instead this message is displayed in my mailbox:


Outlook App:

When adding the account to the Outlook App the App asks to register the device in AzureAD:


When registered the App asks for a PIN based on the MAM policy:


After configuring the PIN the mailbox will be loaded in the Outlook App:


The MAM policy enforcement is also visible within the Azure Portal:


When checking the devices of the test user the device is added but not managed by MDM:


Use Office365 Exchange Online on a enrolled Device:

Active Sync:

After enrolling the device the mail can be synced and becomes available on my mobile device:


During my tests there was no change in the Outlook App behavior.


With above change in the Conditional Access policy for Apps we can offer the user the choice to either enroll their device and using ActiveSync connections/ Outlook App or not enroll their device and only use the MAM capable Outlook App. Great to see that this option is back with this new preview functionality!

2 thoughts on “Scenario: Using both Intune Device and App Based Conditional Access – conclusion

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.