A couple of months ago, I was working on a project to reveal the power of Microsoft Intune for my company. One of the requests was to find out if we could apply Intune MAM policies on Outlook mobile used by on-premises mail box users.

We kind of found out pretty soon that this was not possible. You’d first have to migrate the mailbox to Exchange Online to make conditional access and MAM policies, like preventing copy & paste, etc. work. This was kind of a sad result for us, because I’m really a fan of Intune and all the possibilities it provides. Although we do have an Azure / O365 tenant and AAD synced users, my company just didn’t do the move to Exchange Online yet.

Then, it just happened yesterday, that I found the following notice from Microsoft Intune Feedback in my mail box. Almost made me jump out of excitement.

This is something really cool, I was waiting for, for a long time.

Now, we can use all the fancy, cloud-based EMS features, like Intune app restriction policies and conditional access for the Outlook app, for on-premises mailboxes.

You can find the whole article with detailed info on the Microsoft Exchange Team Blog.

I’ll give you a brief summary of this new functionality, here.


How it works

For the whole thing to work, you first need to establish a hybrid configuration with the MS cloud and then enable Hybrid Modern Authentication.

Mail box data will then be synced to Exchange Online and the Outlook app will authenticate against Azure AD. The setup looks like in the picture below.

Hybrid modern authentication in Outlook for iOS and AndroidImage from Microsoft Exchange Team Blog




There are quite a few prerequisites and conditions for enabling Hybrid Modern Authentication. Following, some of the main requirements:

  • For On-Premises Exchange: Exchange Server 2016 CU8, or Exchange Server 2013 CU19 and up.
  • All Exchange 2007 and 2010 servers have to be removed from your environment.
  • If you use a proxy server to allow servers to connect to the Internet, be sure all Exchange servers have that proxy server defined in the InternetWebProxyproperty.
    (Set it with Set-ExchangeServer, using the -InternetWebProxy parameter )



Your on-premise users have to be assigned the correct licenses for O365 and EMS.

Office365 – one of the following

  • Commercial: Enterprise E3, Enterprise E5, ProPlus, or Business licenses
  • Government: U.S. Government Community G3, U.S. Government Community G5
  • Education: Office 365 Education E3, Office 365 Education E5


EMS licensing –  one of the following

  • Intune standalone + Azure Active Directory Premium standalone
  • Enterprise Mobility + Security E3, Enterprise Mobility + Security E5


After you set up all prerequisites, you need to contact your Microsoft account team, customer sales and services (CSS), or technical account managers to roll out this new feature for you.


Also, please read the following articles for detailed information.

Using hybrid Modern Authentication with Outlook for iOS and Android

Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers

How to configure Exchange Server on-premises to use Hybrid Modern Authentication

I also suggest to browse through the Microsoft Intune Feedback page.

Here, you can submit, or support ideas regarding Microsoft Intune. There are already some pretty cool ideas around. If enough people vote for one, they’ll maybe make it come true.

Like it happend in this case 🙂