Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2018/09/30 by Asitha De Silva in Tech-Tips

Securing Office 365 Email access in BYOD Scenarios using Intune MAM polices and Conditional Access

Microsoft Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device while helping to keep corporate information secure. It is a Mobile Device Management Solution (MDM) which comes with the Enterprise Mobility Suite.

If you pursuit my previous blog posts, I have talked about Enterprise mobility suit, Intune and Intune mobile management policies. From this post I’m hoping to discuss, how to secure corporate Office 365 emails access in BYOD or Manage device scenarios.

To enable these security options, you need to have Intune and Azure Active directory conditional access policies.

Intune App Protection policy’s

Intune App protection policy enables you to protect data on device applications. You can define the apps and set of policies to control the actions. These protected apps are called managed apps. You can define policies such as prevent cut, copy, save as, screen capture, also you can allow data transfer only within the managed apps. As an example, if the policy targeted to Outlook and Word when you get an MS Word attachment through email, you can only open it using Microsoft Word and cannot move data beyond that.

Azure Active directory conditional access

With Azure AD conditional access, you can fine-tune how authorized users can access your resources. For example, you can limit the access to your cloud apps to trusted devices. When you configure app-based conditional access policies, you can limit access to your cloud apps to client apps that support Intune app protection policies. For example, you can restrict access to Exchange Online to the Outlook app.

Securing Office 365 mail – Scenario

As described above, we will use these two features to achieve the following

  1. Intune App protection policies will restrict following features in Outlook and other managed apps
    • Restrict cut, copy, and paste with other applications.
    • Require simple PIN to access Outlook and other manage apps
    • Prevent Save as to Device, OneDrive can be configured to save
    • Block screen capture – Android Only
    • Block managed apps from running on jailbroken or rooted
    • Encrypt app data
    • Prevent cloud backups
  2. Conditional access will prompt the user to enroll the device to Intune before configuring email to it.
  3. Conditional access will restrict access of Exchange Online only to the Outlook app. Or else native Exchange active sync apps will not honor the Intune App Protection policies.

Configuring Intune Protection Policies to restrict access

  1. Log in to the Azure Portal – Intune – Client apps – App protection policies
  2. Add Policy, select platform from iOS, Android or Windows


  3. Select the apps (Manage apps) where you want to add data protection


  4. Select the settings as below, these are the basic settings, however, you can secure more
    • Prevent cloud backups
    • Allow apps to transfer data to other apps – Policy Managed Apps
    • Prevent save as – Only to OneDrive
    • Restrict cut, copy, paste with other apps – Policy Managed Apps
    • Encrypt app data – Yes
    • Require PIN access
       

  5. Save and target the policy to a group of users


  6. Sync the user from portal to test the policy or wait few hours for it to get applied.


Configuring Conditional access policies to allow only enroll devices and Outlook App can access corporate Office 365 emails

  1. Log in to the Azure portal – Intune – Conditional access – New Policy
  2. Name the policy and select the user group should be assigned
  3. From cloud apps select Office 365 Exchange online


  4. From the conditions tab select the following
    • Device platform – select Android and iOS if you want to apply this only to mobile devices,


    • From client apps select Browser, Modern authentication clients, Exchange active sync clients and Other clients.


  5. From access control click Grant tab, and select
    • Require device to be marked as compliant – this policy will make sure the device is enrolled.
    • Require approved client app – this policy will make sure Outlook app and Manage browser will only work as Office 365 mail client.


  6. Click Enable policy

Conditional access policies are a bit faster than the MAM policy, but again it will depend on how many users you have targeted the policy.  After the policy has kicked into the device. If the device is already configured the mail you can see will not come to the native client, also user is prompted to enroll the device to receive the office 365 emails.

Hope this post is useful

Cheers

Asitha De Silva

Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2026 Terminalworks. All Rights Reserved