Conditional access with ConfigMgr+Intune and On-Premises Exchange

Conditional Access in either a Cloud-only or Hybrid scenario is a great way to control data by saying we do not allow you to access Corporate Email without enrolling the device to a Corporate MDM solution where Data Protection Policies will be applied. This is in my opinion the best compromise where we let the user be productive where they get the ability to access corporate data on any device, anywhere, where we at the same time have control over the device, forcing security and compliance policies, encrypting data, deploy (LoB) apps and las but not least have the ability to have Asset Control and reporting!

Now Conditional Access works just the way it sounds, if certain conditions = true then you will gain access! Take a look at the following flowchart, when access email for instance, some processes will start behind the curtains checking and verifying that the conditions you as the IT-Pro have set, are met.

Advanced conditional access flow

From Microsoft TechNet: https://technet.microsoft.com/en-us/library/dn919655.aspx

For now, these are the services that support Conditional Access. However, keep in mind that it may vary a bit depending if you are running a Cloud-only solution with Microsoft Intune or a Hybrid solution with Microsoft Intune and ConfigMgr together.

  • Microsoft Exchange On-premises
  • Microsoft Exchange Online
  • Exchange Online Dedicated
  • SharePoint Online
  • Skype for Business Online

I suggest to read more about Conditional access here before you read further:

Now, in this blog we will focus on a Hybrid scenario where we have Microsoft Exchange On-Premises as Email service and ConfigMgr + Intune as MDM solution. If you have Office 365 everything is done in the Intune Portal even if you use ConfigMgr + Intune as MDM solution. But since we have Exchange On-Premise everything is done in ConfigMgr.

First off, we need to establish a connection between ConfigMgr and Exchange and I assume you already have established a Microsoft Intune Subscription which is tied to your ConfigMgr solution through the Service Connection Point. Why establish a connection between ConfigMgr and Exchange you might ask, well the reason is that ConfigMgr needs the ability to manage devises through Exchange in order to restrict or approve access to email with Conditional Access.

These are the requirements (from Microsoft TechNet https://technet.microsoft.com/en-us/library/dn919655.aspx)

Conditional access to Exchange On-premises supports:

  • Windows 8 and later (when enrolled with Intune)

  • Windows Phone 8 and later

  • Native email app on iOS

  • Native email app on Android 4 or later

  • Microsoft Outlook app on Android and iOS is not supported.

Additionally:

  • Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server (CAS) array is supported.

    If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector to point to one of the CAS servers.

  • You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-premises. This lets you manage mobile devices and enables conditional access (see How to Manage Mobile Devices by Using Configuration Manager and Exchange).

    • Make sure that you are using the latest version of the on-premises Exchange connector. The on-premises Exchange connector should be configured through the Configuration Manager console. For a detailed walkthrough, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

    • The connector must be configured only on the System Center Configuration Manager Primary Site.

    • This connector supports Exchange CAS environment. When configuring the connector, you must set it so it talk to the one of the Exchange CAS servers.

  • Exchange ActiveSync can be configured with certificate based authentication, or user credential entry

 

To establish a connection to Exchange open up your ConfigMgr Console and go to Hierarchy Configuration –> Exchange Server Connectors and Click Add Exchange Server. For rest of the steps follow this guide on TechNet: https://technet.microsoft.com/en-us/library/gg682001.aspx

  • Monitor EADIS.log to verify that all is good. The log file is located here: \Microsoft Configuration Manager\Logs

Next we need to create two collections. The first collection will be a User Collection for targeted users and the other will be for exempted users. These will be based on of two groups in Active Directory. Below is a list of the collections a groups plus two simple PowerShell scripts to create them. Why do we need this you may ask, well the reason is simple, there may be a situation where there is a user you do not want to apply this policy to and when first implementing Conditional Access it is always smart to start small and slowly but steadily apply the policy to your users by moving them to the Targeted group.

Active Directory Groups:

  • G-SC-CM-ConAcc-AllTargetedUsers
  • G-SC-CM-ConAcc-AllExemptedUsers

Run the following script on a Domain Controller in your domain to create the groups (You need to change the variables in the script):

ConfigMgr Collections:

  • Conditional Acces: All Targeted Users
  • Conditional Acces: All Exempted Users

Run the following script on your ConfigMgr Server in order to create the collections:

Next go to Assets and Compliance, locate Conditional Acces and go to On-Premises Exchange: Right Click and choose “Configure Conditional Access Policy”

image

Click Next on the first page

image

Specify the Targeted Collection: Conditional Access: All Targeted Users

image

Specify the Exempted Collection: Conditional Access: All Exempted Users

image

If you want, you can edit the text that the user will be presented with when they try to access email on their device and conditions = false as in the Intune Management Portal as missing for example.

image

Click Next, and then Close. You can now see that you have a Conditional Access Policy created. If you want to change it, just right-click and click Properties.

image

That’s it. You have now Conditional Access enabled for your On-Premises Exchange solution.

Do not forget to leave a comment if you have any questions! Smilefjes

About the Author:

Marius A. Skovli
Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

2 Comments

  1. Patrick S. April 25, 2016 at 17:06 - Reply

    Marius, thanks for the great article! Exchange On-Premises has definitely been the trickier scenario for us to deal with vs Exchange Online.

    When you reference, “Make sure that you are using the latest version of the on-premises Exchange connector,” is that just referring to using ConfigMgr 1511, 1602, etc? Or is there something else that we should be looking at?

    Thanks!

Leave A Comment