How to prevent access to company Exchange account on unmanaged devices: Microsoft 365

When global admins grant admin access to certain users, global admins need to ensure that the data they allow to be processed on devices, are managed on company devices and not managed on external devices unmanaged by the host company. Many admin users have asked if it’s feasible to avoid access restrictions on unmanaged devices, such as those belonging to IOS and Android users. Users of Office Exchange have discovered that by manually connecting their Exchange Online email account to native mail programs that employ basic authentication, they may gain full native access on a device that is not under corporate control. Once their devices are controlled and compliant, managers have just one option: utilize software called Intune to deliver a mail profile to the stock mail applications. So how do you prevent access to company Exchange accounts on unmanaged devices in Microsoft 365, follow the steps below to see how?

Step by step process – How to prevent access to company Exchange account on unmanaged devices: Microsoft 365?

  1. First, sign in to your Office 365 account.
  2. Use the app launcher and navigate to admin.
  3. In the admin dashboard, under “admin center”, click on “Azure Active Directory”(you may need to click “Show all” to access).
  4. Next in the left menu, find and click on “All services”.
  5. Now click on “Azure AD conditional Access”
  6. Click on “New policy”.
  7. Name the policy and fill out the information panel .
  8. Under “Grant”, click on “Block access”.
  9. Make sure the box, “Require device to be marked as complaint” is checked.
  10. Make sure the box, “Require Hybrid Azure AD joined device” is checked.
  11. Below make sure the option “Require one of the selected controls” is selected.
  12. Then click on “Save”.

Quite an overly completed process, however, it’s the only native method to restrict devices in the Exchange portal. What this new policy will do is restrict devices not part of the networks hence the checkbox “Require to devise to be marked as compliant” should be checked. Also, the main one is preventing unmanaged devices which is why the checkbox, “Require Hybrid Azure AD joined device” is checked. What this will do is only allow access to devices managed by the network. Any device outside the network will be restricted from attaining access. So if there are users using unmanaged or personal devices outside the company network, you need to inform them that access to those devices have been restricted. 

Data loss protection may be one of your main worries as a result of this. For example, a user can log in to their business OneDrive or mailbox on a personal device with no restrictions on the ability to synchronize all of the files and emails stored in that service. When a user quits the company, what happens to their local copies of data?. This is why having the Azure AD conditional access policy in place will prevent issues from occurring.

Azure AD – More information

Administrators can use Conditional Access to gain control. Conditional Access is included in the Azure Active Directory Premium P1 subscription and allows you to regulate the conditions under which a user is permitted or denied access to Azure AD resources. Even if you give access, you may impose further restrictions, such as requiring them to reply to a multi-factor authentication prompt or limiting the amount of time they have to log in again.

A device that is connected to your on-premises Active Directory as well as synced and attached to the cloud-based Azure AD is referred to as hybrid Azure AD joined. We’ve already discussed how to get your devices into this condition. This is only compatible with Windows-based devices.

Who the policy applies to is determined by users and groups. You are not bound by the rules of this assignment if you are not participating in it. You might want to scope a policy to all users but exclude guests/external users and emergency access accounts if you’re blocking Office 365 access on unmanaged devices. Alternatively, only add an Azure AD group that is acceptable.

Azure AD – access control

Signals and authentication attributes such as IP addresses, operating systems, and applications are specified in conditions (which, roughly speaking, means web or client app access). We won’t mention any criteria because we’ll be restricting access to all Office 365 access methods in our case. However, having separate restrictions for online access and desktop app access is a typical application of these conditions.

What is Microsoft Intune?

Microsoft Intune is cloud-based mobile device management (MDM) and mobile application management solution (MAM). You have complete control over how your company’s devices, such as mobile phones, tablets, and laptops, are used. To control apps, you may also set up particular policies. You can, for example, restrict emails from being sent to anyone outside your company. People in your company can also use their personal devices for education or work using Intune. Intune helps ensure that your organization’s data is safeguarded on personal devices by isolating it from personal data.

Click here to read our blog post that fully explains what Microsoft Intune is. It will help you understand what the software is and how it lets you manage your devices.

In depth – step by step process – How to prevent access to company Exchange accounts on unmanaged devices: Microsoft 365?

Step by step breakdown:

  • First sign in to your Office 365 account.

Use your account details or if you have a current Skype account with the Office account in question, you can use this.

  • Use the application launcher to navigate towards “Admin”.

The launcher is illustrated by nine dots in the right corner, click on it and find “Admin” as shown above.

  • In the admin dashboard, under “admin center”, click on “Azure Active Directory”(you may need to click “Show all” to access).
  • Next in the left menu, find and click on “All services”.
  • Now search for “Azure AD conditional Access”
  • Click on “New policy”.
  • Name the policy and fill out the assignment panel .
  • Under “Grant”, click on “Block access”.
  • Make sure the box, “Require device to be marked as complaint” is checked.
  • Make sure the box, “Require Hybrid Azure AD joined device” is checked.
  • Below make sure the option “Require one of the selected controls” is selected.
  • Then click on “Create”.

That’s it for this Blog thank you for taking time out to read our content, please feel free to email our team about how it went if you followed the steps or if you need more help with the questions we answered in this Blog.

Saajid Gangat

Saajid Gangat has been a researcher and content writer at Business Tech Planet since 2021. Saajid is a tech-savvy writer with expertise in web and graphic design and has extensive knowledge of Microsoft 365, Adobe, Shopify, WordPress, Wix, Squarespace, and more! You can connect with Saajid on Linkedin.

Recent Posts