SCCM 2012 R2 + Microsoft Intune – Exchange Conditional Access

Hi, here is Martin with a Blogpost about the new Feature that has been shipped to the Microsoft Mobile Device Management Solution Intune: Conditional Echange/Sharepoint Access. This means, you are now able to restrict the Access to Exchange Online, On-Premise Exchange and SharePoint Online to Devices, which has to be Intune enrolled.

Update: Intune in combination with SCCM currently only allows you to restrict the Access to Exchange Online.

If your System Center 2012 Configuration Manager has been updated with the new Conditional Access Extension:
you will find those new entries in the List:
You are then also able to create a quick Compliance Policy:
Compliance Policy
But we wanted to start with Exchange Conditional Access, so we Need to follow the Link on the “Exchange Online” Page, which leads us to our Windows Intune Portal:
Intune - Set up conditional Access
In my case, I chose to install the On-Premise Connector, you can follow this instructions on TechNet:
If you have successfully iinstalled the On-Premise connector, you can then go on and create your Exchange Policy:
Exchange Policy
It can take up to 3 hours, until a EAS Synced Device get blocked. But even if the Device was already enrolled with EAS or not, the User will receive a Message, that he can enroll his Device with Intune, and gain Access to his Mail Account again.
This Link is from the comments (thanks for that!) which does it describes the whole process very vell:

Refer also to this excellent TechNet Blog Post:

7 thoughts on “SCCM 2012 R2 + Microsoft Intune – Exchange Conditional Access

  1. Great article!
    It is now possible to create a conditional policiy for Exchange OnPremise. Can you tell me if the Exchane Connector is also needed when using Intune in SCCM with an OnPremise Exchange? Thanks!

      • Hi Martin, thanks for the quick response.
        I think I got it know. 🙂
        I have around 500 ActiveSync devices ready to migrate to Intune integrated in ConfigMgr 2012 R2. Currently all ActiveSync devices need approval from an Administrator. When I configure the Exchange connector, how will that impact the active devices? After the exchange connector discovers all the active devices, in which collection will they show up? Thanks!

        • As far as I know this should not affect your Exchange configuration, when you setup the Exchange Connector.
          They will show up in the mobile device collection aswell. When they are also enrolled with Intune, the Device Icon will change afterwards.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.