itpro_ca

In this video, you learn how to control user access to email and other corporate resources based on your company's device enrollment and compliance policies by using conditional access in Microsoft Intune. Let's see how conditional access works from the user perspective. The first thing they usually do on their mobile devices is set up their work email like this. They go to Settings, tap Mail, Contacts, Calendars, and then tap Add Account. Next, users will usually check to make sure their email is working. But when conditional access is enabled in Intune, users won't typically have media access to email. Instead, they'll receive an email informing them that their device is temporarily blocked from accessing email until they complete the Intune enrollment steps. As you can see here, there's a link in the email to enroll the device. After following a few simple enrollment steps, they'll have access to their work email. Let's take a look at how this works behind the scenes. Depending on the type of email application that you use to access exchange online, the path to establishing secured access to email can be slightly different. However, the key components are the same. They are Azure Active Directory, Office 365 and Exchange Online, and Microsoft Intune. Intune currently supports native email apps and the Microsoft Outlook app for iOS and Android. Let's look at the flow for native email apps and Exchange ActiveSync. A device is authenticated when it connects to Office 365 to sync mail. As part of this authentication, Office 365 confirms with Azure Active Directory that the device is registered, enrolled in Intune, and compliant with the device compliance policy. If the device is registered, enrolled, and compliant, email syncs and the user recieves access to their email. If the device isn't registered, users recieve a message in their inbox with instructions with how to enroll in Intune. Azure Active Directory device registration happens automatically during enrollment. If the device isn't compliant, users receive a message that redirects them to the Intune web portal where they can get more information about the compliance problem and how to resolve it. Once the device is enrolled and compliant, email syncs and users receive their email. If you're using the Microsoft Outlook client, device compliance is established in much the same way. However, for Outlook apps, the flow between the components is slightly different. When the Outlook app attempts to get email, it's redirected to Azure Active Directory. Azure AD issues a security token if the device is enrolled and compliant. The security token grants access to exchange online. Email synchronization is brokered through the Outlook Cloud service using an Exchange ActiveSync service access token on behalf of the user to complete the authentication and deliver the email. Now let's see how conditional access is configured from the Intune admin console. If you've enrolled users in Intune before enabling conditional access policies, run the mobile device inventory report to see which devices will lose access to email and other corporate resources when conditional access is enabled. This allows you to inform users of noncompliant devices before blocking their access to email. The next step is to create a compliance policy in Intune. Compliance policies allow you to check for specific settings on a device and ensure that these settings are enabled before the device gains access to email. Settings, such as requiring a password, encrypting data, and detecting if the device is jail broken can be verified to make sure that a device is compliant. The next step is to enable conditional access for specific services such as Exchange Online, Exchange On-Premises, and SharePoint Online. Let's go ahead and enable conditional access for Exchange Online. Next, you'll need to decide which groups of users to apply these policies to. Let's choose the engineering group. As soon as conditional access is enabled, users in this group will lose access to their email if their devices are not compliant or enrolled in Intune. You can also specify groups that are exempted from conditional access policies. Exempted users don't need to enroll their devices with Intune or be compliant in order to access corporate email. That's it. Now you know how to enable users to be productive while protecting corporate data at the same time all by using conditional access in Microsoft Intune. You can further protect the content in your mail system by using managed app policies.