As I talked about last week, Microsoft was launching some new Intune functions. One of this, which is highly sought after and asked about, is Conditional Access for browser access for O365 workloads. I talked about it a bit in my blog note below:

Conditional access for browser

This has easily addressed one of the biggest customer concerns I’ve ran into, where ADFS can’t conditionally block service-level access to Office 365.

I’ve been waiting for some time now, and finally, Intune will offer the ability to control Conditional Access to Exchange Online and SharePoint Online (and by proxy OneDrive for Business). In this model, you can control access to these from only supported web browsers on managed and compliant devices (iOS & Android). If they are not enrolled/compliant, just like traditional Conditional Access, they will be prompted to enroll their device before allowing sign-in.

As far as support…

You can restrict access to OWA for Exchange Online, SharePoint / OneDrive for Business when accessed from a browser on iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:

  • Safari (iOS)
  • Chrome (Android)
  • Managed Browser (iOS and Android)

Unsupported browsers will be blocked.

NOTE: The OWA apps for iOS and Android are not supported. They should be blocked through ADFS claims rules.

Let’s take a look at how it’s configured!

First, let’s take a look at the new policy settings in Intune under the Conditional Access policies for Exchange Online and SharePoint Online/OneDrive for Business.

You’ll see our new options here, under “Outlook Web Access (OWA)” and “Browser Access to SharePoint and OneDrive for Business”

062916_1747_Configuring1.png 062916_1747_Configuring2.png

Note that once you check that box, it is enforced only for your targeted groups, just like other Conditional Access Policies. That means that if you don’t have a blanket policy covered for your entire organization, just selected groups, then folks not in that group would be exempt and wouldn’t be blocked. This is important if you’re in the process of moving to Intune with Conditional Access or testing.

You should note that these settings applies today only to mobile devices (today).You can choose to allow access to Exchange Online, SPO or OneDrive for Business only through the supported browsers: Safari for iOS, and Chrome for Android. Access from other browsers will be blocked.

The same platform restrictions you selected for Application access for Outlook also apply here. Meaning if you aren’t protecting Android devices with Conditional Access then the Browser settings will not be applicable.

To identify the device that is used to access the service, Azure Active Directory will issue a TLS certificate to the device which will be used to certify connectivity via the browser

Let’s start by checking the respective boxes.

062916_1747_Configuring3.png 062916_1747_Configuring4.png

Let’s go ahead and test this.

iOS

First we’ll open a non-native browser, such as Firefox. We’ll navigate to https://outlook.office.com

062916_1747_Configuring5.png

And we can see that we get a prompt to

We can see that we get notified (because we’re using a non-native browser) that we are not enrolled/compliant.

062916_1747_Configuring6.png

Now let’s try via the native Safari browser

062916_1747_Configuring7.png

We’ll get a certificate notification

062916_1747_Configuring8.png

And we’re allowed right through once we chose that certificate.

062916_1747_Configuring9.png

Android

First we’ll open a non-native browser, such as Firefox. We’ll navigate to https://outlook.office.com

062916_1747_Configuring10.png

And we can see that we get a prompt to

We can see that we get notified (because we’re using a non-native browser) that we are not enrolled/compliant.

062916_1747_Configuring11.png

Now let’s try via the native Chrome browser

062916_1747_Configuring12.png

We’ll get a certificate notification. It’s likely you don’t currently have any certificates to use, so I hit cancel.

062916_1747_Configuring13.png

062916_1747_Configuring14.png

On Android devices, users must enable the browser access. To do this the end-user must enable the “Enable Browser Access” option on the enrolled device.

Let’s launch the Company Portal app and go to the Settings page in the upper right corner

062916_1747_Configuring15.png

At the bottom, choose Enable Browser Access.

You’ll see it import a certificate and you’ll get a notification.

062916_1747_Configuring16.png

062916_1747_Configuring17.png

Now let’s try with Chrome again. You’ll see we have access!

062916_1747_Configuring18.png

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>