Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Extend conditional access to cover EWS for on-premise Exchange

Extend conditional access to cover EWS for on-premise Exchange. At present we are able to protect all entry methods other than Outlook on OSX connecting via EWS

66 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Simon shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • HAMMAMI commented  ·   ·  Flag as inappropriate

    IT must use Hybrid Exchange to use Modern Auth, witch is a regression for onprem customers

  • Hamza Chekairi commented  ·   ·  Flag as inappropriate

    WIthout having conditional access to cover EWS to manage third-party application, makes Microsoft Intune a very immature product. What is the purpose of paying for MS Intune licensing, enrol devices and restrict them to use MS apps and block native mail app but third party apps can be downloaded and used to access company data??

    If I need to allow any app it would be Native as at least this is securer than using a third party app.

    Overall, Microsoft really need to look at this seriously, without conditional access to cover EWS, the Intune product is immature and useless!

  • Brittany Auldridge commented  ·   ·  Flag as inappropriate

    MSFT Support's answer is to apply conditional access policies and force users to utilize the Outlook App. While this is technically a solution, I feel that this ignoring a huge security flaw...

  • Pepo Pivo commented  ·   ·  Flag as inappropriate

    I Agree! ´This is a big problem, not only for on-premise Exchange, also for Exchange Online!
    We are trying to avoid that our Exchange Online mailboxes are reachable with Username/PWD from the outside, so we implemented intune. And THEN we figured out that all the nice Conditional Access Policies ignore that EWS exists. As we do not want to block EWS from the outside (because of the Skype for Business App) it will stay a dirty solution until EWS is also included in the intune Conditional Access Policies...
    Is this something that is planned for the near future?!?

  • Ryan commented  ·   ·  Flag as inappropriate

    Good God yes! Conditional Access policies for EAS are great, but if they're only covering EAS and not EWS, someone can still download email on an unmanaged device. EWS Allow List whitelisting *looks* like it addresses this, but doesn't because the user agent it relies on is easily spoofed.

    Full rant in this thread:
    https://social.technet.microsoft.com/Forums/exchange/en-US/03e46abb-6344-47fd-ba9f-cebaebf8d24c/ews-email-access-and-mfa?forum=exchangesvradmin

Feedback and Knowledge Base