Intune – Exchange Online Conditional Access and the OneDrive for Business Mobile App

Recently, we were contacted by a user saying that once we enabled conditional access for them for Exchange Online that they were no longer able to access the OneDrive for Business mobile application. At first, this seemed a bit puzzling. After all, we never enabled conditional access for any other application other than Exchange. As such, how can logins to OneDrive for Business possibly be blocked?

Now, let’s step back a moment and take a look at the situation. By enabling conditional access for EXO, we are essentially saying that you CAN NOT connect to email with a mobile app unless you are enrolled in Intune AND you are compliant (not jailbroken\rooted, strong PIN, etc…). Normally, this only applies to mobile mail apps that rely on ActiveSync to connect. Outlook Mobile can be the exception to the rule using MAM without enrollment (that’s for another posting!), but I digress. Either way, that user should absolutely not be blocked from logging into OneDrive for Business because we did not configure this to be the case.

After looking at everything, we were not able to see any obvious reason for this to be happening so we opened a case with Microsoft. After looking at the same thing we looked at a few hundred times, we ended up finding out that the issue is related to the security tokens used to access the Graph API (which in turn determines if you’re device can or cannot access the app in question). Turns out OneDrive for Business and Exchange Online use the SAME token. As such, if you aren’t compliant with the rules to connect to the Exchange Online, you are also NOT compliant enough to connect to the OneDrive for Business app. Who knew?

While Microsoft’s official stance that this was by design, they have been getting a lot of complaints about it. I am assured that a fix will be on the way in the 2nd half of 2017. No specific dates given, but we have been assured the services will be treated exclusively of one another in a coming update to the Graph API.

In the meantime, make sure you realize that as far as conditional access is concerned, you must treat OneDrive for Business and Exchange Online as one in the same.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *