Conditional Access in either a Cloud-only or Hybrid scenario is a great way to control data by saying we do not allow you to access Corporate Email without enrolling the device to a Corporate MDM solution where Data Protection Policies will be applied. This is in my opinion the best compromise where we let the user be productive where they get the ability to access corporate data on any device, anywhere, where we at the same time have control over the device, forcing security and compliance policies, encrypting data, deploy (LoB) apps and las but not least have the ability to have Asset Control and reporting!

Now Conditional Access works just the way it sounds, if certain conditions = true then you will gain access! Take a look at the following flowchart, when access email for instance, some processes will start behind the curtains checking and verifying that the conditions you as the IT-Pro have set, are met.

Advanced conditional access flow

From Microsoft TechNet: https://technet.microsoft.com/en-us/library/dn919655.aspx

For now, these are the services that support Conditional Access. However, keep in mind that it may vary a bit depending if you are running a Cloud-only solution with Microsoft Intune or a Hybrid solution with Microsoft Intune and ConfigMgr together.

  • Microsoft Exchange On-premises
  • Microsoft Exchange Online
  • Exchange Online Dedicated
  • SharePoint Online
  • Skype for Business Online

I suggest to read more about Conditional access here before you read further:

Now, in this blog we will focus on a Hybrid scenario where we have Microsoft Exchange On-Premises as Email service and ConfigMgr + Intune as MDM solution. If you have Office 365 everything is done in the Intune Portal even if you use ConfigMgr + Intune as MDM solution. But since we have Exchange On-Premise everything is done in ConfigMgr.

First off, we need to establish a connection between ConfigMgr and Exchange and I assume you already have established a Microsoft Intune Subscription which is tied to your ConfigMgr solution through the Service Connection Point. Why establish a connection between ConfigMgr and Exchange you might ask, well the reason is that ConfigMgr needs the ability to manage devises through Exchange in order to restrict or approve access to email with Conditional Access.

These are the requirements (from Microsoft TechNet https://technet.microsoft.com/en-us/library/dn919655.aspx)

Conditional access to Exchange On-premises supports:

  • Windows 8 and later (when enrolled with Intune)

  • Windows Phone 8 and later

  • Native email app on iOS

  • Native email app on Android 4 or later

  • Microsoft Outlook app on Android and iOS is not supported.

Additionally:

  • Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server (CAS) array is supported.

    If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector to point to one of the CAS servers.

  • You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-premises. This lets you manage mobile devices and enables conditional access (see How to Manage Mobile Devices by Using Configuration Manager and Exchange).

    • Make sure that you are using the latest version of the on-premises Exchange connector. The on-premises Exchange connector should be configured through the Configuration Manager console. For a detailed walkthrough, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

    • The connector must be configured only on the System Center Configuration Manager Primary Site.

    • This connector supports Exchange CAS environment. When configuring the connector, you must set it so it talk to the one of the Exchange CAS servers.

  • Exchange ActiveSync can be configured with certificate based authentication, or user credential entry

 

To establish a connection to Exchange open up your ConfigMgr Console and go to Hierarchy Configuration –> Exchange Server Connectors and Click Add Exchange Server. For rest of the steps follow this guide on TechNet: https://technet.microsoft.com/en-us/library/gg682001.aspx

  • Monitor EADIS.log to verify that all is good. The log file is located here: \Microsoft Configuration Manager\Logs

Next we need to create two collections. The first collection will be a User Collection for targeted users and the other will be for exempted users. These will be based on of two groups in Active Directory. Below is a list of the collections a groups plus two simple PowerShell scripts to create them. Why do we need this you may ask, well the reason is simple, there may be a situation where there is a user you do not want to apply this policy to and when first implementing Conditional Access it is always smart to start small and slowly but steadily apply the policy to your users by moving them to the Targeted group.

Active Directory Groups:

  • G-SC-CM-ConAcc-AllTargetedUsers
  • G-SC-CM-ConAcc-AllExemptedUsers

Run the following script on a Domain Controller in your domain to create the groups (You need to change the variables in the script):

<#    
p    .NOTES 
    =========================================================================== 
    Created on:    24.04.2016 
    Created by:    Marius A. Skovli  
    Organization:  Coretech 
    Filename:      CreateADGroups.ps1
    ===========================================================================
    .DESCRIPTION
    Create Conditional Access Groups in Active Directory for use in System Center Configuration Manager
#>

    ######--------------------------
    #Prep variables
    ######--------------------------
    $domain = "redd0g"
    $DC = "com"
    $OU1 = "SCTemp"
    $DomainController = "redd0g-dc01"
    $TargetedGroup = "G-SC-CM-ConAcc-AllTargetedUsers"
    $ExemtedGroup = "G-SC-CM-ConAcc-AllExemptedUsers"

    ######--------------------------
    #Create OU 
    ######--------------------------
    New-ADOrganizationalUnit -Name $OU1 -Path "DC=$domain,DC=$DC"

    ######--------------------------
    #Create Groups
    ######--------------------------
        New-ADGroup `
        -Path "OU=$OU1,DC=$domain,DC=$DC" `
        -Name $TargetedGroup `
        -GroupCategory Security `
        -Description "SCCM Conditional Access All Targeted Users" `
        -GroupScope Global
    
        New-ADGroup `
        -Path "OU=$OU1,DC=$domain,DC=$DC" `
        -Name $ExemtedGroup `
        -GroupCategory Security `
        -Description "SCCM Conditional Access All Exempted Users" `
        -GroupScope Global

ConfigMgr Collections:

  • Conditional Acces: All Targeted Users
  • Conditional Acces: All Exempted Users

Run the following script on your ConfigMgr Server in order to create the collections:

<#  
    .NOTES 
    =========================================================================== 
    Created on:    24.04.2016 
    Created by:    Marius A. Skovli  
    Organization:  Coretech  
    Filename:      CreateCACollections.ps1
    =========================================================================== 
    .DESCRIPTION 
    Create Conditional Access Collections in System Center Configuration Manager
    This will create the following: Collections, Folders, Query and Schedule for Membership Update. 
#>


#----
#Import the ConfigMgr Module
#----
    Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")
    $SiteCode = Get-PSDrive -PSProvider CMSITE
    Set-Location "$($SiteCode.Name):\"

#----
#Create Folder
#----
    New-Item -Path RED:\UserCollection -Name 'Conditional Access'

#----
#Adding Collection refresh Schedule
#----
    $Schedule = New-CMSchedule -RecurCount 7 -RecurInterval Days

#----
#Adding user collections
#----
    $Collection1 = New-CMUserCollection -LimitingCollectionName "All Users" `
    -Name "Conditional Acces: All Targeted Users" `
    -Comment "Users who are Targeted for Conditional Acces" `
    -RefreshType Both -RefreshSchedule $Schedule

        Add-CMDeviceCollectionQueryMembershipRule `
        -CollectionName "Conditional Acces: All Targeted Users" `
        -QueryExpression ‘select *  from  SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllTargetedUsers%"’ `
        -RuleName G-SC-CM-ConAcc-AllTargetedUsers

    $Collection2 = New-CMUserCollection -LimitingCollectionName "All Users" `
    -Name "Conditional Acces: All Exempted Users" `
    -Comment "Users who are exempted from Conditional Access" `
    -RefreshType Both -RefreshSchedule $Schedule

       Add-CMDeviceCollectionQueryMembershipRule `
       -CollectionName "Conditional Acces: All Exempted Users" `
       -QueryExpression ‘select *  from  SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllExemptedUsers%"’ `
       -RuleName G-SC-CM-ConAcc-AllExemptedUsers
    
#----
#Move collections to Conditional Access folder
#----
    Move-CMObject `
    -FolderPath '.\UserCollection\Conditional Access' `
    -InputObject $Collection1

    Move-CMObject `
    -FolderPath '.\UserCollection\Conditional Access' `
    -InputObject $Collection2

Next go to Assets and Compliance, locate Conditional Acces and go to On-Premises Exchange: Right Click and choose “Configure Conditional Access Policy”

image

Click Next on the first page

image

Specify the Targeted Collection: Conditional Access: All Targeted Users

image

Specify the Exempted Collection: Conditional Access: All Exempted Users

image

If you want, you can edit the text that the user will be presented with when they try to access email on their device and conditions = false as in the Intune Management Portal as missing for example.

image

Click Next, and then Close. You can now see that you have a Conditional Access Policy created. If you want to change it, just right-click and click Properties.

image

That’s it. You have now Conditional Access enabled for your On-Premises Exchange solution.

Do not forget to leave a comment if you have any questions! Smilefjes