Microsoft Intune and Conditional Access in a Co-management scenario

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.

Read more…

Restrict access to Exchange Online using Microsoft Intune (and only grant access to company enrolled devices using the Outlook app)

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂

Read more…

How to renew Apple Push Certificate in Microsoft Intune standalone

Introduction

I have previously done a short post on how to renew the Apple Push Certificate when having Intune integrated with Configuration Manager (Hybrid). Since then, I’ve changed the MDM authority to Intune standalone and therefore the procedure changes slightly. Again, this is taken directly from an production environment and my certificate was due to expire in roughly 30 days. For the curious, this is the exact steps I went through to renew our Apple Push Certificate in Microsoft Intune standalone.

Picture of the front page of the Apple Push Certificate portal

Read more…

How to Conditional Access for Exchange Online OWA (Webmail) using Intune

Introduction

While brewing on a much more detailed post on how I moved my devices from Intune Hybrid with ConfigMgr to Intune standalone, I thought I’d share how you can offer webmail for your users, while requiring MFA (Multifactor Authentication) if not coming from a company device, using Conditional Access.

In this post I will only cover the actual steps in Intune, but for this to work, you will have to have your Windows devices registered with Azure AD. There will be some requirement for your on-prem AD and for your ADFS, if that’s how you federate with Azure/O365. These requirements are explained in details in this Microsoft article: https://docs.microsoft.com/da-dk/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup

Configuration

  • Intune is now fully accessible through the Azure portal on https://portal.azure.com/ – head over there and sign in
  • When signed in, look for More services in the menu and search for Intune

  • In the Intune section of the Azure portal, click on the Conditional Access menu button

  • Create a new Conditional Access policy on New policy and give it a name f.i. Conditional Access – OWA

  • Assign the new CA policy to a group consisting of users. For your inspiration, I’m syncing an on-premise security group consisting of users already assigned an EMS license, as Conditional Access in Intune requires an EMS license. This will probably vary depending on your needs, setup and design goals, but I recommend that there is some synergy between whom is assigned EMS licenses, and whom you are targeting with policies in Intune (for the sake of doing proper IT 🙂

  • Select Exchange Online in Cloud apps

  • As conditions, make sure that all device platforms are selected (as we’d like to target any browser on any platform) and select Browser in the Client apps menu.

  • In Access controls, select 1) Require MFA, 2) Require device to be compliant and 3) Require domain joined (hybrid Azure AD) and select that only one of these controls needs to be satisfied. Doing exactly this configuration, will make sure that if you are coming from a private device (hence not compliant and not domain joined) will trigger MFA when accessing webmail. On the other hand, coming from an Intune enrolled AND compliant device OR a domain joined PC will not require MFA.

Finally

Before enabling the policy, I recommend that you take a closer look at the new preview feature for Conditional Access, WhatIf. It will let you know the impact of your new CA policy by setting the desired conditions. It will also tell you, if you have configured any legacy CA policies in the old silverlight Intune portal which might interfere with your new CA policies.

Now, when signing into https://outlook.office365.com from my private computer, I’m required to approve the sign in request through my prefered MFA method.

Enjoy your new Conditional Access policy requiring MFA when signing into webmail (OWA) on a private device. 🙂