I wanted to confirm if this is correct behavior. All Intune work is done in the new Azure portal.
- I have a user with only an O365 E3 license assigned (not EMS)
- Exchange Online is used.
- I have O365 MDM enabled, as well as Intune as an MDM provider.
- I have an Intune Conditional Access policy to only allow MAM enabled apps, as well as a MAM Outlook policy to require PIN.
- The Intune CA and MAM policies are deployed to a group, which contains the user above without an EMS license.
- The user's phone is Android 4.4 and not enrolled (BYOD)
The user attempts to access Exchange Online using the Outlook app. My assumption was that the user would hit the Intune CA policy and it would not apply due to the user having no EMS license, and instead be directed to O365 MDM and be prompted to enroll the device for access.
Instead the Intune CA appears to let the user through as they are using the Outlook app, but then the MAM policy does not apply due to the license restriction. The effect is the user is granted access on a personal phone without having to adhere to MAM policies. The only way I could get it to work is to make sure the user is not in the group targeted by the CA and MAM policy.
It would be better if this was taken care of automatically by the Intune CA policy not applying at all, like the MAM policy does. Is this expected behavior? It is easy enough to resolve with process by ensuring users are not added to an Intune CA group but I want to make sure I'm not doing something wrong!
- Edited by legionx Tuesday, March 21, 2017 12:31 AM
Firstly, please note that the MAM Based CA policies require Azure AD premium or EMS licenses to take affect no in your scenario the CA policies will not apply to this user because this account has only been assigned Office 365 E3 license. Also MAM policies will not apply to this user like your understanding.
If you want your Office 365 E3 licensed only user be managed via Office 365 MDM instead of getting access directly to the corp mail, you should not add this user to the target group of the MAM CA polices on the Azure portal. Additionally, you need to apply the Office 365 Device Security Policies to the group which includes this user. After configuring this, this user should get enrolling prompt when attempts to connect the Outlook app. If you also want to enforce this user sign in using the Outlook app, you can define the ExchangeActive Sync access rule to only allow the access from Outlook client instead of the MAM CA policy.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact email@example.com.