Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V


conditional access

Microsoft Intune Enrollment of Android for IT Admin

Step 1: Enrollment

Once a end user has enrolled a Android device it will shortly show up in the Intune portal.

Step 2: Verify status in Intune

This is what a healthy Device should look like in the Intune Portal :


This device is healthy and should have access to email and does not need attention.


If you need device info, the Intune MDM agent will pull information from the device and display some of it here in the general info tab just right to the health status


Just some of the info pulled from Intune



There are many different Android phones out there. They all provide info to Intune MDM differently. Here Sony is not able to convey the OS name correctly to Intune.

Not all android phones report OS correctly


In the device list you can see and sort the list of devices on most of the general information.


Sort and find your device


When the end user enrolled this Sony Android Device he was prompted to group his device himself into a group. This group is displayed here. I have named this group myeself in the Intune portal. You could name it anything other than personal if you want to.


Device Group Mapping


Management channel should be set to intune or intune and EAS when your device is enrolled. We should also se the Compliant status. If it is not compliant, check your compliance policies in intune policy tab or make sure that you have made the device compliant e.g. enabled PIN or encryption/screen lock +++


If your device is not compliant it will be blocked from exchange when you run Conditional Access.


Service based Azure Multifactor Authentication

Now you can enable a certain service for Azure MFA.

In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.

Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.


Go to:

Navigate to your domain and click applications


Use these settings

Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.

sony disabled
You do not have to enable MFA globaly for this to work


yammer mfa settings
I always add an Except group with the remaining users.


This is what the user will see now.


He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.

yammer endpointcredentials portSetup MFAenter phone


Conditional Access Behavior on Outlook 2016

If you enable conditional Access in Intune then Your devices will have to be enrolled with Intune in order to read mail. If they are not enrolled or otherwise compliant they will be blocked.

-You can relax these demands as you see fit, but that would kinda defeat its purpose.

This is how Outlook behaves

1 - autodiscover
Add Your account as usual
2 - modern auth prompt
Modern Auth Prompt
4 - conditional access required
Conditional Access checkpoint

This user will not be allowed to Complete the mail setup.
Note that you have to enable ADAL on Exchange Online and use Outlook 2013-2016 With ADAL in order for this to work. Click here to se how to set up Exchange Online with ADAL

How to enroll Your Windows 10 Machine in Intune to get back mail?

Click here for the MDM enrollment instructions without Azure AD join.

or here

for MDM enrollment instructions with Azure AD Join

Configuring Conditional Access to Exchange Online (365) with Intune

You can configure Microsoft Intune to block devices that do not comply with a “standard” access to Office 365 Exchange Online email.

Here is how:

  1. in a silverlight browser.
  2. Create a Compliance Policy
  3. Policy->Compliance Policy->Create New
compliance policy
I will demand a password of minimum 6 digits and 1 minutes before screenlock.
Setting the Conditional Access and blocking Exchange Active Sync
  1. Policy->Conditional Acces->Exchange Online Policy
  2. Click following:
    • Activate Policy for Conditional Access
    • Select Specific Platforms
    • Check iOS (my rules will now only apply here, rest can read email.
    • Check: Require Compliance for Mobile Device
    • Select “Block access to e-mail for devices not supported by Intune”
    • Select “All users”
    • Select “No exception users”

The iOS users will now have to enroll in order to read email and when they do they need to set a 6 digit password.

Caution with using Active Sync only:

  1. If the user has allready configured email, he might not be blocked.
  2. If the user has been associated with that device earlier, he might not be blocked.

Enrollment procedure:

  1. Enter Your email in the native mail client by going to settings
  2. You recive an email with instructions on how to get access to your mail.
Follow that instruction.


Blog at

Up ↑

%d bloggers like this: