Extend conditional access to cover EWS for on-premise Exchange
Extend conditional access to cover EWS for on-premise Exchange. At present we are able to protect all entry methods other than Outlook on OSX connecting via EWS
IT must use Hybrid Exchange to use Modern Auth, witch is a regression for onprem customers
Hamza Chekairi commented
WIthout having conditional access to cover EWS to manage third-party application, makes Microsoft Intune a very immature product. What is the purpose of paying for MS Intune licensing, enrol devices and restrict them to use MS apps and block native mail app but third party apps can be downloaded and used to access company data??
If I need to allow any app it would be Native as at least this is securer than using a third party app.
Overall, Microsoft really need to look at this seriously, without conditional access to cover EWS, the Intune product is immature and useless!
Brittany Auldridge commented
MSFT Support's answer is to apply conditional access policies and force users to utilize the Outlook App. While this is technically a solution, I feel that this ignoring a huge security flaw...
Pepo Pivo commented
I Agree! ´This is a big problem, not only for on-premise Exchange, also for Exchange Online!
We are trying to avoid that our Exchange Online mailboxes are reachable with Username/PWD from the outside, so we implemented intune. And THEN we figured out that all the nice Conditional Access Policies ignore that EWS exists. As we do not want to block EWS from the outside (because of the Skype for Business App) it will stay a dirty solution until EWS is also included in the intune Conditional Access Policies...
Is this something that is planned for the near future?!?
Good God yes! Conditional Access policies for EAS are great, but if they're only covering EAS and not EWS, someone can still download email on an unmanaged device. EWS Allow List whitelisting *looks* like it addresses this, but doesn't because the user agent it relies on is easily spoofed.