Microsoft Exchange Device Access & Conditional Access changes with Outlook mobile

Upcoming changes to Microsoft Exchange Online plan to address conflicts discovered between certain Azure Active Directory Conditional Access policies and Exchange Online device access rules in Outlook for iOS and Android. Read on to understand the conflict in more detail, and prepare your systems for the changes rolling out in August 2020.

Defence in Depth

The law of unintended consequences can be cruel and heartless; nowhere more so than in the field of cybersecurity.

Often, we try to improve the security of our infrastructure by implementing shiny new controls when they become available, but end up missing an edge case.
Sometimes it causes a minor inconvenience to end users – like they need to click an extra button or accept an MFA prompt that they weren’t expecting. Other times, it kills the CEO’s email access an hour before a critical meeting. Sure, they happen to be using an obscure mail client on their phone that no one in your team has ever heard of, but that’s not an argument you’re likely to get much traction with!

In any case, the guiding principle we’re employing is Defence in Depth. Lock your sensitive data in the castle keep and build walls, ramparts, moats, and drawbridges around it to keep the foes out, but let the allies in. An attacker may get through one line of defence, only to hit another. Seems straightforward enough, until ye olde law kicks in.

Exchange Online Device Access Rules

Since 2010, Microsoft Exchange (and its cloudy brethren Exchange Online, or EXO) have allowed us to control what devices and apps can access Exchange via ActiveSync through Device Access Rules. Device Access Rules are quite blunt instruments. You can specify device types/models, OS version or mail app but, without introducing manual steps and overheads, you can’t lock it down a specific device. Enter stage right, Azure AD Conditional Access.

Azure AD Conditional Access Policies

Conditional Access is an extremely powerful and flexible way to control which devices can access your castle; and, it allows you to do so in a much more granular way. For example, you can specify that the device must be enrolled in your MDM solution, compliant with your policies, be accessing from a trusted location and/or that the user must pass an MFA challenge every so often to retain their access. That last one is key here, as it’s probably the reason most people will be looking at
Conditional Access today.

Streamlining & Securing Email Apps

If you’ve already configured Device Access Rules, it seems like a no brainer that you would set up a Policy to augment your security with MFA and let the existing Rules control what types of devices or apps can be used. Not all email apps are created equal and, while this may be contentious to some, but the Microsoft Outlook apps for iOS and Android are about the best you can get from an IT bod point of view. They’re easy to set up, easy to use if you’re familiar with the desktop version, and you can exert a lot of control over what users can do with the corporate data they hold on their devices (like preventing copy/paste from a work email to a WhatsApp chat). The fact that they’re also made by the same company who make your email solution is the icing on the cake because your IT team can get support through the same channels.

You could do far worse things than enforcing that only Outlook mobile apps can be used. As an aside, a genuine benefit of doing this would be saving your IT Technicians from having to learn to use, support and troubleshoot umpteen different email apps. So, now we’ve got a clear path to easily supportable and more secure mobile mail access. Awesome!

The Azure AD vs Exchange Online Conflict

Well… remember that law of unintended consequences? It turns out that the Exchange and the Azure AD Teams at Microsoft may just have experienced a breakdown in communication at some point because last month they announced a major change to how these features would work together. You see, after the user has authenticated to Azure AD and gets passed through, EXO does a quick query to see if there are any Conditional Access policies in place; if there are, it just kind of lowers the drawbridge and lets the user in without checking the Device Access Rules.

If you’re like me, at this point you’re probably thinking “that’s not so bad, the user must have passed MFA, or has come from an MDM compliant device”. Unfortunately, that’s not the case, as the check that Exchange Online does is somewhat flawed. It seems that if a user is linked to any Conditional Access policies (even if the nature of that ‘link’ is to say that this policy doesn’t apply to the user), then Exchange Online just rolls over and defers to Azure AD. Not an optimal state of affairs…

Upcoming Exchange Device Access and Conditional Access changes with Outlook mobile

That’s how things have worked up until now. To their credit, Microsoft has realised this, admitted that this is “not the desired behaviour”, and will be fixing it next month. In the new world, the Exchange Online query now will check what controls the policy required for the user to pass. The Rules will only be bypassed if the policy requires:

• An MDM-compliant device
• An approved app (i.e. Microsoft Outlook for iOS or Android)
• An app protection policy in place

If all you’re doing is requiring MFA in your policy, the Exchange Online Device Access Rules will still be evaluated and unapproved devices or mail apps will be blocked, just as you had originally intended. If you happen to be using this combination of policies and rules though, you should probably check the configuration of your users, as the rules haven’t been getting evaluated up until now. Microsoft has provided guidance on how to do this further down in their blog post.

To Use, or Not to Use Device Access Rules

Here’s the real question though… should you still be using Device Access Rules at all? Unlike CA policies which can accurately verify the identity of an individual device or user through various means, Device Access Rules implicitly trust the information that the “mobile device” is sending them, like its Device ID, OS version etc; things which are trivial for an attacker to spoof (lie about).

Improving Your Security Maturity

Switching to Conditional Access can be a huge step forward in improving your security maturity. It can prevent your organisation from falling victim to Business Email Compromise attacks, which are being seen increasingly across all industries. With Quorum Cyber, you can draw on our experience in implementing Microsoft Azure technologies to secure your sensitive information and keep your castle locked tight.

For further information on the support of our Security Operations Centre & Professional Services teams can provide you and your organisation, contact the Quorum Cyber team today.

Meet the Author

Craigg Barr, Senior Consultant at Quorum Cyber

“I have spent the majority of my career designing, implementing, and maintaining solutions in environments with strict compliance requirements, and helping to shape technology strategies and architectures. I’m a technology evangelist with a real passion and drive for helping organisations to deliver tangible business benefits in a secure and sustainable manner.”