Configure CEA for MS Office 365/Exchange Online

Microsoft Office 365/Exchange Online is one of the popular Email providers and many organisations use their services. This document provides a step by step guide for configuring conditional email access for Microsoft Exchange Online services and enforce your users to enroll their devices before they can access the emails.

Prerequisites

  1. Please read through our CEA Pre-Deployment Guide
  2. Scalefusion Account with Enterprise License
Step 1: Create an Admin with Exchange Administrator Role

The first step is to create an administrator account with Exchange Administrator role in Azure AD. This account will be used to configure CEA in Scalefusion portal, so you must know the user email and password. If you already have an account with the assigned role please proceed to Step 2 else please follow the steps below,

  1. Sign In to Azure AD portal and navigate to Users section
  1. Click on the user account that you would like to grant Exchange Administrator role and click on Assigned Roles
  1. Click on Add Assignments & search for Exchange Administrator and assign the role.
  1. Once the role has been assigned, the user roles should look like below.

Step 2: Disable Modern Auth or Security Defaults

Microsoft requires you to disable modern authentication if you would like to use Conditional Email access via an MDM like Scalefusion. If you have already disabled it, proceed to Step 3, else follow the steps below.

  1. While signed in to Azure AD, navigate to Properties menu and click on Manage Security Defaults
  1. From the screen below, select NO for Enable Security Defaults, choose a reason and click Save.
  1. Finally Save the changes to Properties settings to complete this step.

Step 3: Import/Add Users or Configure Device Custom Properties

CEA works on the basis of Email Ids, so one of the steps before you configure CEA in Scalefusion is to Import the users or set Email ids as custom properties. Follow the guides below to configure the same,

  1. Importing/Adding Users to Scalefusion
  2. Using Custom Properties to set Email Ids
Step 4: Configuring Conditional Email Access in Scalefusion

Now that you have completed all the steps required to configure CEA, follow the steps below to setup CEA.

  1. Sign In to Scalefusion portal and navigate to Conditional Email Access section and click Configure to open the CEA wizard.
  1. Configure Access: The first step is to configure the access and allowing Scalefusion access to your exchange account and users. For this you would need the user email and password for which the Exchange Administrator role was granted in Step 1.
    1. Email Service Type: Select Exchange Online
    2. Powershell Gateway URL: By default it is pre-filled with https://outlook.office365.com
    3. Powershell Administrator Username: Enter the email id of the account with Exchange Administrator role created at Step 1
    4. Powershell Administrator Password: Enter the password of the account with Exchange Administrator role
    5. You can either click on Validate to validate the settings or Next to proceed to next step in which case the validation would happen while saving the settings.
      Please note that once you click on Validate it takes about 30 seconds to a minute for the credentials to be validated.
  2. Configure Policy: The settings in this tab allow you to define the policies on the basis of which the conditional email access is enforced. Divided into 4 sections to let you easily understand and configure the desired policy.
    1. Access Policy: This section lets you define the broader access policies that apply to all users/devices.
      1. Default Global Access Policy: By default all access to email on new devices from any user in the organisation is Quarantined. This is the default setting and this cannot be changed.
        What this means is any user trying to access email will first be quarantined and validated against the CEA policy set. If they are supposed to be allowed without their devices being enrolled in Scalefusion or are supposed to be offered a grace period, then they are removed from quarantine state.
        Please note once the users are removed from Quarantine state, it takes around 3 hours for the changes to take effect on the device. This is the average turnaround time for Microsoft Exchange.
      2. Block Email Access from Outlook: Choose if the users should be allowed to access Emails from Outlook or should be blocked. By default we suggest blocking it on Android, iOS and Windows as the CEA policies can be applied on these platforms. If Outlook access is blocked then:
        1. All users will be blocked from accessing emails using Outlook client on Android & iOS.
        2. On Windows, only the users that are defined by the Target users in Step iv below will not be able to access Email using Outlook client. Other users can still access.
      macOS: Since there are no APIs available for macOS, we recommend not blocking access on a Mac.
      1. Block Outlook Web Access: Choose if users should be allowed to access Emails using Outlook web access from browsers like Google Chrome, Microsoft Edge or Safari etc. By default we suggest disabling this and with this all users are blocked from accessing emails using browsers.
      2. Select Target Users: This is one of the most important settings which defines which users are targeted by the CEA and which users are exempted. The options are,
        1. All Users: Select this to target all users in your organisation and apply CEA policies.
        2. Imported Users: Select this to target only the users that you either Import/Add using User management or add their email ids to custom properties/fields.
        Please note that any access to emails from existing users on new devices will by default be quarantined. Based on the target users set, they will be either allowed to access without enrolling their devices to Scalefusion or enforced to enroll their devices in Scalefusion.
    2. Grace Period: This section lets you define a grace period for the users during which they are allowed to access emails. Beyond the grace period, their access will be blocked and they would be enforced to enroll their devices.
      1. Configure Grace period for Users: Select a suitable grace period for users.
      2. Apply Grace Period To: For the Target users defined as per access policy above, choose if the grace period should be applied to their existing devices and/or when they access emails on new devices. Unchecking an option means they would not be allowed a grace on the devices and will be enforced to enroll their devices.
    3. Enrollment Settings: This section lets you choose the default enrollment profile for BYOD devices.
      1. Default Enrollment Configuration for User Enrolled Devices: From the dropdown select a BYOD/Personal QR Code configuration that will be used to enroll the users.
      2. Apply these settings for all Corporate Owned Devices: This is a marker setting and by default we would be applying these settings to all Corporate owned devices. Please note that though it is applied for all CO devices, the settings will be pushed to devices that have an Email id set as a custom property.
    4. Configure Email Templates & Reminders: The last section lets you define the email content that will be sent to the users informing them to enroll their devices and set the reminder frequency.
      1. Configure Reminder Email Template: Click on the input area to configure the email content. The placeholders like %device_model% or %device_os% or %days_left% will be updated dynamically based on the device. We also append the required enrollment instructions based on the device type like the QR Code to scan or the enrollment URL to use.
      2. Reminder Email Frequency: Select how often the users should be reminded to enroll their devices.
      3. Quarantine Email Content: Since all users will be quarantined by default, Microsoft allows you to set a small message of 255 characters that will let them know on why their devices have been quarantined.
  3. Exchange Server Settings: The next section lets you define the exchange settings that will be used to configure exchange on the Scalefusion managed devices.
    1. Exchange Server Settings: Enter your organisations Exchange server settings.
    2. User Sign In Settings: This section lets you define which fields should be used as the email and username when pushing an exchange configuration to the enrolled devices.
      1. User Initiated Enrollments: For BYOD devices Scalefusion automatically uses the imported/added users email as the sign in email.
      2. Corporate Owned Enrollments: Choose which custom field should be used as the Email id & username that will be used to push the exchange configuration.
        All Email ids assigned to the custom fields will be considered as target users and the CEA policies will be applied.
    3. Sync Settings: This section lets you configure the email and calendar sync settings.
  4. Review & Save: The final step is to review the settings and if everything looks good click on CREATE.
  1. If the credentials are validated then you would see the screen below as a confirmation,
The Sync usually takes around 30 minutes of time during which the CEA section is disabled to ensure consistency.
  1. Once the initial sync is successful, you would start seeing the information updated as shown below,
Step 5: Update the Device Profiles

Once CEA is configured, you would have to update the device profiles so that users can get access to the applications that they are required to Sign in and access emails. These applications are based on the platforms,

  1. Android: In all the Corporate Owned (Kiosk) profiles and BYOD profiles that you had selected as Default Enrollment profile, enable GMail and Google Chrome applications.
  1. iOS: If you are managing Supervised/DEP devices then allow Safari and Mail application on the device profile.
  1. Windows: There are no specific changes required, but please note that in Windows, CEA or in general Exchange configurations can be published only to the admin/enrolled accounts. Exchange configuration will not work for standard accounts or restricted accounts.

Now that you have configured CEA, go through our document on CEA Control Panel to learn about the information that is displayed here, various states of devices and how to manage them.

Frequently Asked Questions

Question: Why do we see an exclamation (!) mark once we have configured the CEA?

Answer: This can happen for the following two reasons,

  1. No Imported/Added Users: If you have not imported any users and are trying to configure CEA. Please contact our support to remove the CEA and start afresh.
  2. Invalid Powershell Administrator credentials: If the administrator credentials have been changed post the configuration. Please edit the configuration and update the credentials.

Question: Why do all users see a Quarantine message once they access email on new devices even though they are not part of target users or are imported to Scalefusion?

Answer: To achieve CEA, by default the global access policy is set to Quarantine, which means that all users attempting to access emails on new devices irrespective of being imported/added to Scalefusion will be quarantined.

Once Scalefusion detects these users and their new devices based on the periodic sync, it applies the policies and allows the users access to emails if allowed by policy.

For a user not targeted by policy, on an average it takes about 3 hours to allow email access on a new device.

Question: Why are the options to Edit, Delete and Sync disabled?

Answer: This is by design. During a sync operation, we disable the options to avoid any conflicts.

Question: What is the default Sync duration or how often does Scalefusion detect for changes?

Answer: Scalefusion detects for changes every 2 hours.

Question: What would happen if you delete the CEA configuration?

Answer: Scalefusion would do the following,

  1. Revert the Global Policy from Quarantine to Allowed
  2. Stop managing the email access on new and existing devices.
  3. Delete all the data related to users and their devices.


How did we do?


Powered by HelpDocs (opens in a new tab)