Why Outlook is blocked when accessed by a user selected for Conditional Exchange Access?

Conditional Exchange Access (CEA) lets IT admins control Exchange ActiveSync (EAS) access to Exchange mailboxes from unauthorized devices. While CEA is supported for Native e-mail app in iOS and Windows devices and for Gmail app in Android devices, CEA can not be offered for Outlook because of it's cloud service architecture and because it uses an account specific EAS device identifier.

In case of Native e-mail client, the EAS device ID is device specific. Hence, when a user tries accessing Exchange mailbox from a different device a new device ID will be issued. While in case of Outlook app, the device identifier is user or account specific. Due to the cloud architecture, Outlook connections appear as a single device identifier in Exchange even when accessed from different devices. This means that access control for each user is applied to all devices connected to this device ID, which makes it impossible to manage individual device access since CEA policy blocks or allows the device based on the device ID.

Architecture of Outlook app

Outlook is a cloud-backed application which runs on Microsoft Cloud. In Outlook for iOS and Android architecture, Exchange Online acts as a proxy between the Outlook app and the on-premises Exchange server. Outlook uses the native Microsoft sync protocol and EAS protocol for data synchronization in order to provide access to data in Exchange mailboxes.

As shown in the image, the Outlook service is connecting to Exchange on behalf of the device to fetch the mailbox.

Device identifiers and access control

As discussed in the architecture, when using Outlook for iOS and Android app, Microsoft generates a single EAS Device Identifier for the combination of credentials and FQDN of the Exchange server. This works on a per-user basis, rather than a per-device basis. Thereafter every time a user uses their Exchange credentials to login to an Outlook app on any device, the same EAS Device Identifier will be used perpetually.

An EAS Device Identifier is the only mechanism through which an Exchange Server recognizes and registers an email client receiving mails via EAS protocol. MDM's CEA blocks or allows a device by marking an EAS Device identifier as blocked or allowed for a user's mailbox. Since Outlook app shares the same EAS Device Identifier for the devices with same credentials, it is not possible to segregate an Outlook app installed in an MDM enrolled device and the one in a device which is not enrolled. If CEA marks the Outlook app's EAS Device Identifier as allowed, then the Outlook app on an un-enrolled device will also be allowed. This would allow any unmanaged devices to gain access to the Exchange mailbox, thereby introducing security risks. On the other hand, if we block the EAS Device Identifier of an Outlook app, it will also be blocked on an MDM enrolled device. Hence, for security reasons Outlook app is blocked from accessing Exchange mailbox once the policy is applied.