locked
[Case Sharing] Only allow mobile Outlook app to access email without install Intune Company Portal app RRS feed

  • General discussion

  • This post explains how to only allow mobile Outlook app to access email without install Intune Company Portal app.

    Issue description

    How to only allow mobile Outlook app to access email without install Intune Company Portal app

    Analysis

    For app-based Conditional access policy (ie. Require approved client apps or required app protection policy), the current design is that iOS and Android devices must install a “broker app”. Ie. Authenticator on iOS and Company Portal on Android.

    The broker app starts the Azure AD registration process, which creates a device record in Azure AD. This isn't the same as the mobile device management (MDM) enrollment process, but this record is necessary so the Conditional Access policies can be enforced on the device.

    The broker app verifies the identity of the app. There’s a security layer so the broker app can validate if the app is authorized for use by the user.

    Therefore, to enforce all users to only use Outlook app to access email, you will need to use conditional access policy to block other sign-ins outside Outlook mobile apps.

    Resolution

    You need 2 conditional access policies if you intend users to use Outlook mobile to access email, while no browser access on mobile is allowed.

    1. Require approved client apps for mobile apps

    2. Block browser access.

    Reference

    How Company Portal is mandatory for MAM policy:

    https://docs.microsoft.com/en-us/intune/apps/app-protection-policy#supported-platforms-for-app-protection-policies

    How app-based Conditional Access works:

    https://docs.microsoft.com/en-us/intune/protect/app-based-conditional-access-intune#how-app-based-conditional-access-works


    Hope the above information can be helpful. If you need further assistance on this issue, feel free to post a question via clicking "Ask a question" at the top left of this page, we will try our best to help you!


    • Edited by ForumFAQ Monday, February 3, 2020 8:59 AM
    Monday, February 3, 2020 8:58 AM