Protect Office 365 Exchange Online with Intune -

In this article, we will see how to use device compliance policies and conditional access with Intune to make sure that iOS devices can access Exchange Online email only if they’re managed by Intune and use Outlook application.

Create the iOS device compliance policy

Set up an Intune device compliance policy to set the conditions that a device must meet to be considered compliant. For this tutorial, we’ll create a device compliance policy for iOS devices. Compliance policies are platform-specific, so you need a separate compliance policy for each device platform you want to evaluate.

In Intune, select Device compliance > Policies > Create Policy.

In Name, enter iOS compliance policy
In Description, enter iOS compliance policy
Under Platform, select iOS.

Select Settings > Email.
1. Next to Require mobile devices to have a managed email profile, select Require.
2. Select OK.

Select Device Health. Next to Jailbroken devices, select Block, and then select OK.

Select System Security and enter Password settings. For this tutorial, select the following recommended settings:
- For Require a password to unlock mobile devices, select Require.
- For Simple passwords, select Block.
- For Minimum password length, enter 4.
- For Required password type, choose Alphanumeric.
- For Maximum minutes after screen lock before password is required, choose Immediately.
- For Password expiration (days), enter 41.
- For Number of previous passwords to prevent reuse, enter 5.

Select OK

Select OK again

Select Create

Create the conditional access policy

Now we’ll create a conditional access policy that requires all device platforms to enroll in Intune and comply with our Intune compliance policy before they can access Exchange Online. We’ll also require the Outlook app for email access. Conditional access policies are configurable in either the Azure AD portal or the Intune portal. Since we’re already in the Intune portal, we’ll create the policy here.

In Intune, select Conditional access > Policies > New policy.

In Name, enter Office 365 email Policy.

Click on Assignments

Select Users and groups. On the Include tab, select All users, and then select Done.

Under Assignments, select Cloud apps. Because we want to protect Office 365 Exchange Online email, we’ll select it by following these steps:
1. On the Include tab, choose Select apps.
2. Choose Select.
3. In the applications list, select Office 365 Exchange Online, and then choose Select.
4. Select Done.

Under Assignments, select Conditions > Device platforms.
1. Under Configure, select Yes.
2. On the Include tab, select All platforms (including unsupported), and then select Done.
3. Select Done again.

Under Assignments, select Conditions > Client apps.
1. Under Configure, select Yes.
2. Select Mobile apps and desktop clients and Modern authentication clients (which refers to apps like Outlook for iOS and Outlook for Android). Clear all other check boxes.
3. Select Done, and then select Done again.

Under Access controls, select Grant.
1. On the Grant pane, select Grant access.
2. Select Require device to be marked as compliant.
3. Select Require approved client app.
4. Under For multiple controls, select Require all the selected controls. This setting ensures that both requirements you selected are enforced when a device tries to access email.
5. Choose Select.

Under Enable policy, select On.

Select Create.

Try it out

With the policies you’ve created, any iOS device that attempts to sign in to Office 365 email will need to enroll in Intune and use the Outlook mobile app for iOS. To test this scenario on an iOS device, try signing in to Exchange Online using credentials for a user in your test tenant. You’ll be prompted to enroll the device and install the Outlook mobile app.