With Intune update in juni 2016 (version 5.0.7000.0) we got Conditional Access for Outlook Web Access (OWA).

This meens that the company can grant or deny access to portal.office.com based on the device is:

  • Domain joined
  • Compliant
  • Domain joined or Compliant

Support for mobile devices

  • iOS 7.1 and later
  • Android 4.0 and later, Samsung Knox Standard 4.0 or later
  • Windows Phone 8.1 and later 

You can restrict access to SharePoint Online when accessed from a browser from iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:

  • Safari (iOS)
  • Chrome (Android)
  • Managed Browser (iOS and Android) 

Unsupported browsers will be blocked.

Support for PCs

  • Windows 8.1 and later (when enrolled with Intune)
  • Windows 7.0 or Windows 8.1 (when domain-joined)
    • Domain-joined PCs must be set up to automatically register with Azure Active Directory. AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.
    • If the policy is set to require domain join, and the PC is not domain-joined, a message is displayed to contact the IT admin.
    • If the policy is set to require domain-join or compliant, and the PC does not meet either requirement, a message is displayed with instructions about how to install the Company Portal app and enroll.
  • Office 365 modern authentication must be enabled, and have all the latest Office updates.Modern authentication brings Active Directory Authentication Library (ADAL) based sign-in to Office 2013 Windows clients and enables better security like multi-factor authentication, and certificate-based authentication.

OWA Settings CA

OWA Settings CA 00



The workflow is like this:



Conditional access for PCs and Windows 10 Mobile devices with apps using modern authentication is not currently available to all Intune customers. If you are already using these features, you do not need to take any action. You can continue to use them.+

If you have not created conditional access policies for PCs or Windows 10 Mobile for apps using modern authentication, and would like to do so, you must to submit a request. You can find out more information about known issues as well as how to get access to this feature at the connect site.


The user experience is like this when a device is not compliant

User login 01