Show when Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity
Show that Exchange ActiveSync is bypassed by Azure Conditional Access in Sign-In activity. It is currently very confusing to customers to see what policies are enforced for Exchange Online ActiveSync.
It should be easy to see that no Azure Conditional Access policies are applied to Exchange ActiveSync, Intune doesn't enforce company portal and that Exchange ActiveSync is not blocked on the Exchange Backend.
Microsoft Case for reference: "RE: [REG:118121325001709] ] Conditional access not applied"
Att.: Caleb and Dhanyah
/Peter Selch Dahl
Thanks Peter and Nils,
We have some work in progress that will allow us to improve the sign-in data for these cases.
The pre-authentication logging in general needs to be greatly improved. ActiveSync access for us broke 100% simply by clicking the Enforce MFA button on a per-user account basis. When we tried rolling that back by removing MFA, re-enabling, and then having the user re-enroll, ActiveSync was still broken. Even creating an EOL authentication policy that would allow basic authentication for a specific account where this was necessary, ActiveSync still broken.
All of this is happening because basic authentication is denied outright, and we don't even get to see the logs of this activity. Where and why is it being blocked? Is conditional access policy blocking it? Is it being blocked inside of EOL?
I've tried working with MS support on this topic only to find that there is some "by design" setting that we cannot override that blocks all basic authentication attempts. I find that to be completely bizarre considering that it is documented to be able to create an EOL authentication policy that specifically allows basic authentication.
Bottom line is that without access to the logs, we've no ability to troubleshoot where the problem is happening. And when the data is not exposed to use in Azure portal, that also means that MS support has no access to the data. So we just have a broken platform.
Peter Selch Dahl commented
After enabling Exchange Online backend policy for blocking I don't even see attempt to perform authentication using BasicAuth anymore under Sign-In activity. It would be nice, if the customer could choose to see these event and are these attempts shared with Cloud App Security.
I have seen this as well with Android Enterprise, but in my case CA was applied as expected, but the sign-in logs didn't show that CA was applied.