So, what would happen if you upgrade from On-premise Exchange Connector or simply remove the Exchange Connector in Intune?
Here in this blog I remove the Exchange Online connector and test what happens on a iPad that is enrolled with Intune.
The user account has Conditional Access on Exchange Online enabled.
Enrolled the device with Intune and checked the Intune Management Portal that the device was registered and active
I now delete the Exchange Connection to see what happens on the iPad for the end-user.
-> With the connection deleted you can still send and recieve mails from any device without any Conditional Access. As long as you enter the login credentials into any mail app it works.
Removed the device from the company portal app and severed the Intune connection. There is no conditional access so you can still send and recieve mails.
Then add the exchange connector again from http://manage.microsoft.com and now my device should be blocked since Conditional access prevents non-enrolled devices from reading mail.
Nothing will happen untill the service has synced with exchange so click the “Run Fast Sync”button
A prompt will appear, just close it.
Exchange Conditional Access will now apply to all acounts again. If you have a device which is approved in Intune, no action required. If it is not enrolled in Intune you will have to enroll it.
After some hours when Exchange discovered that this device is not enrolled anymore it will also block mail. This takes about two hours.
Background: The Exchange Connector sends power shell cmdlets to the exchange server. In the Azure AD Microsoft saves the ActiveSync ID with the ID of the Object or Device. This enables our service to block or allow certain devices from reading email. The comprehensive overview of what the connector does can be found here: https://docs.microsoft.com/en-us/intune/deploy-use/intune-on-premises-exchange-connector