Tips&Tricks- Securing Activesync Access to Exchange Online with 365 MDM

I’ve always felt that Office 365 MDM is obsolete option between doing just Exchange ActiveSync Policies, and going the whole nine yards with true MDM capabilities (Intune)

Today I realized that you can do at least one thing with o365 MDM, separating it from plain Exchange mobile policy, and that is securing ActiveSync enrollment

KB

https://support.office.com/en-us/article/capabilities-of-built-in-mobile-device-management-for-office-365-a1da44e5-7475-4992-be91-9ccec25905b0?ui=en-US&rs=en-US&ad=US 

Background

Most (or all) mobile OS’s apart from native iOS mail-client are missing modern auth capable native mail client, thus securing ActiveSync enrollment with 2FA is sometimes seen as bit of an question.

It’s usually addressed with one, or combination of some of the following ways:

  1. By using Outlook mobile app
  2. By using app passwords ( I wouldn’t recommend app passwords even to my worst enemy)
  3. By Intune enrollment requirement
  4. By bypassing activesync for 2FA, and requiring admin release from quarantine
  5. Just bypassing activesync for 2FA

Now I am adding one more option to the list, (6) –  Office 365 MDM – Which is pretty much my top recommendation, if you need to use non iOS native mobile clients and/or don’t have Intune available

  • If you’re using Azure AD Premium P1, or 3rd party MFA with AD FS, and wan’t to offer strong enrollment before allowing ActiveSync access, but don’t have Intune, then I see this as pretty tempting way of achieving some additional security for ActiveSync:

Client experience

  • After adding the ActiveSync profile to the mobile phone user receives very similar mail to the classic quarantine message. This is only item in the mailbox. Thus no data is exposed to the user until further verification (2 FA requiring enrollment is done)

IntuneEnrollment


Service side settings

And in order for this setup to work

  • Block non-Office365 MDM supporting devices

OrgWide

  • Company Portal App and device join (Intune) has to require second factor, otherwise the protecting qualities of this setup are done
  • If you wan’t to allow non-ActiveSync clients in AD FS 3rd party create filtering rule, or configure CA to filter out ActiveSync in ’Client Apps’ settings

 

Thats it!

Br, Joosua