In a recent blog post New in Intune: More conditional access, App SDK updates, and Android for Work! the Intune team announced additional conditional access capabilities, including the ability to restrict access to Exchange Online to certain clients for MAM only scenarios.

Here is what they posted…

Conditional access is one of the signature experiences from Microsoft Enterprise Mobility + Security, bringing together the power of Intune and Azure Active Directory Premium to allow you to define policies that provide contextual control at the user, location, device and app levels. This rich set of features gives you the control you need to ensure your corporate data is secure, while giving your users the experience they expect in today’s world. We’re excited to announce these new features that further expand our conditional access capabilities to mobile applications and Windows PCs:

  • Conditional access for mobile apps
    This update allows you to restrict access to Exchange Online from only apps that are enabled with Intune’s mobile application protection policies, such as Outlook. If you’ve been looking for a way to block access to Exchange Online from built-in mail clients or other apps, look no further.

I’ve taken some screenshots of the updated portal so you can get an idea of how it works.


First of all you can see above that I’ve highlighted the new tile that appears.


Alternatively, if you customise it and hide the tile, you have the Exchange Online link underneath Conditional Access on the right.


From here we can start seeing what configuration options we’ve got.


First up, Allowed apps has the default setting of all apps.


The dropdown reveals the current MAM only enabled apps that are available to use.



We can add restricted user groups.


We can make exceptions for certain use cases or troubleshooting scenarios.


All up, pretty easy to follow and implement.