• United States



Contributing Writer

How to migrate smartphone users to the Outlook app with Intune

Sep 25, 20194 mins
Communications SecuritySecuritySmall and Medium Business

With the pending retirement of Microsoft Basic Authentication, the best way to protect mobile device users connecting through Exchange is to move them to Outlook.

Email migration to Microsoft Outlook app on mobile email for smartphone user.
Credit: Suwaree Tangbovornpichet / Getty Images

One way attackers wiggle into Microsoft Exchange Online is through systems that have Basic Authentication enabled. Account compromise rates in tenants who have disabled legacy authentication are significantly lower than overall rates. Microsoft has announced it will turn off Basic Authentication for Exchange Web Services on October 13, 2020.

Last week Microsoft went one better and announced it will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online on the same date. Any application using OAuth 2.0 to connect to these protocols will continue to work without change or interruption. I’ve already recommended that you disable Basic Authentication to beef up security in Office 365.

What should you do now if you have Office 365? Start by moving away from the native email applications on Android and Apple iPhones and moving people to the Outlook applications. If you are planning a move to Office 365 away from on-premises Exchange, you should move people over to the application now. The application supports additional protocols and email platforms, so if your users receive personal email as well as the firm email on their phones, you can migrate all email over to Outlook.

There are several ways to handle the migration. Smaller firms can send out communication to your clients and instruct them on how to find the application in the app store on the phones, download it, and then set up their email account on the new application. If Autodiscover is set up properly, all you need do is inform people to download the application, enter their email address and password, and the application will connect to the appropriate mail server.

Alternately, you can use Intune to assign the Outlook app to users. I recommend rolling out the Outlook app while letting people keep the native phone app so you can fine-tune adjustments in the Outlook app and get people used to the change.

Moving to Outlook using Intune

As noted in the blog post, you’ll want to go to the Azure Portal and log in as an administrator. Click on “Add” and select “iOS” and then browse for the Outlook app. Review the information provided automatically by clicking on “App information”.

bradley intune outlook 1 Susan Bradley

Using intune to push out the Outlook application to users

Next click on “Assignments” and “Add group”. Select “Required” at “Assignment type” to enforce the app on mobile devices.

bradley intune outlook 2 Susan Bradley

Setting email policies

Select “Included Groups” and choose which group you want to target or use both switch to deploy to all users or all devices. Once you configure the included assignment, click on “Ok” at the bottom. If you want to set a policy that users can’t copy business information from the Outlook app to a personal app, you can set up a policy to limit this.

bradley intune outlook 3 Susan Bradley

Assigning policies

To create an app protection policy, open your browser and navigate to this page on the Azure portal. Click on “Add a policy” and type a policy name. Select the iOS platform and click on “Select required apps”. Check all apps and click “Select” at the bottom. Click on “Configure required settings” and change these settings.

  • Allow the app to transfer data to other apps: Policy managed apps
  • Prevent “Save As”: Yes
  • Select which storage services corporate data can be saved to—e.g., OneDrive for Business, Sharepoint
  • Restrict cut, copy and paste with other apps: Policy managed apps with paste in

Click on “Ok” at the bottom once you’re finished. Click “Create” at the bottom to save the new policy.

Now that the policy is created, assign the policy to the same group you used to deploy the Outlook app. Click on your new policy and then click “Assignments”. Click on “Select groups” to include, choose the same group previously selected for Outlook app assignment, and click “Select”.

You can now use the Outlook app throughout your organization. The app supports modern authentication, and once you’ve weaned users off the native phone application, you can disable Basic Authentication without any side effects. Some users may prefer the focused view for the Outlook app, others would prefer that focused view is disabled and that conversations are not threaded. You can finally disable the main email application by going into settings, accounts and passwords and deleting the existing account.

The change does not impact SMTP authentication. However, you may want to review how you have SMTP authentication set up.

Change is coming to Office 365 and Microsoft’s mandate will help keep us all safer from credential harvesting attacks. Take the time now to migrate to safer and more secure applications.

Don’t forget to sign up for TechTalk from IDG, the new YouTube channel for tech news of the day.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author