SCCM 2012 – Configure Exchange On-Premise Conditional Access with Microsoft Intune

Hi Reader,

referring to my old Blogpost, where I described the Integration of the Conditional Access in System Center 2012 Configuration Manager for Exchange Online (Link) and because there was an Update with the Intune Extension to support the On-Premise Exchange Server aswell, I decided to create a new blogpost about this.

The Supported Exchange Versions are currently 2010 and 2013, be sure suing one of them with a current Update Rollup (afaik for 2013 UR6 is required).
And you can use the conditional Access to restrict the EAS connection on the following Devices:
•Windows 8 and later (when enrolled with Intune)
•Windows Phone 8 and later
•Any iOS device that uses an Exchange ActiveSync (EAS) email client
•Android 4 and later.

The first step is to set up the Exchange Connector within your SCCM 2012 Administration Workspace. Follow this TechNet Article to configure the Exchange Connector:
How to Manage Mobile Devices by Using Configuration Manager and Exchange

When this is done, you should create a User Collection, which is used later to Target the conditional access profile to this collection, you can already add the users you want to restrict. If needed, do the same for an exclusion collection, because you can exclude users from restrictions, even they are within the restrict Collection.

Then you can go to the “Conditional Access” area of the “Assets and Compliance” Tree, and select “Configure Conditional Access Policy”:
Configure Conditional Access Policy

In the first screen you will be asked for your Intune Tenant Domain Name, you should use the address:
Domain name for Microsoft Intune

In the next step, you have to add the previously created user collection on which you want to restrict the access:
Target collection

The next screen of the wizards asks for the Exempted collections, if your configuration needs this, you can add it here. The last screen of the wizards shows you the message template that is sent to the user, when his Device is not compliant to the Policy:
User message
This message is sent to a user, when EAS has recognized, that the device is not compliant. Make sure that you have configured the new “Conditional Access Email Notification Account” option on the Exchange Connector properties, this enables SCCM to send the Email:
Email Notificaition Account

But it can take up to 3 hours, that the Device is blocked, that means if a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the device to be blocked (if it is not managed by Intune). Or otherwise if a user un-enrolls a Device from Intune it might take from 1-3 hours for the device to be blocked. But on the other hand, if a user then enrolls the device with Intune (again), email access will be unblocked within 2 minutes. (from Technet).

See also this link for a very detailed description:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.