Logo

Using Microsoft Conditional Access with Colligo Email Manager

Microsoft 365 and Microsoft Azure AD offer a feature to control authentication based on risk factors. This is called conditional access.

A risk factor might be device type, location, user, group, remote application or multi factor authentication enabled for example.

Microsoft have implemented a subset of this function to restrict all authentications unless they are from trusted Microsoft Applications like Outlook, Word, Excel or Microsoft Edge Web Browser.

The only issue with this functionality occurs when the Microsoft settings to 'require' trusted Microsoft Applications is enabled and required (rather than one of a list of acceptable options).
The Colligo add-in is a cloud add-in and requires authentication. The add-in is used inside the Microsoft Outlook client (which is a trusted application), however Microsoft have not embedded their trusted Edge browser and make use of the device native browser module.

For example, on IOS this identifies as Webkit/IOS. Microsoft Conditional access does not allow this as it is not a trusted Microsoft application.

This article covers working around this Microsoft Issue.


How to work with Conditional Access Application Restrictions

Step 1: Decide if Application restrictions are really needed in your environment.

  • First of all, consider that it may be possible with other restrictions, like an authenticated trusted device, multi factor authentication and specific user access that you do not require the restriction to limit to only Microsoft provided applications. If so, then after removing this restriction from the Conditional Access policy then Colligo will work (therefore the changes mentioned below are not needed).

Step 2: If your organisation requires Conditional Access application restriction, then contact Colligo

  • Your Colligo account manager can have your Colligo subscription upgraded to enable an alternate authentication flow which detects Conditional Access on the first attempt, then re-directs to perform the second authentication using the Trusted Microsoft Edge Browser on device.

Details  of Colligo Specific Conditional Access flow

When this option is enabled for your Colligo subscription, the authentication flow on Mobile devices will be changed very slightly. This slightly elongated authentication flow should be a one time event as long as the application usage is maintained and your Microsoft authentication credentials are not reset, timed out or otherwise changed by your administrator.

Due to the current Microsoft V2 authentication flow, users will first attempt to authenticate inside the Outlook application embedded browser. If conditional access is set to require a trusted application then we know this will fail due to using the Outlook client bundled web browser, but at this point Colligo cannot detect the failure as Microsoft do not return the authentication flow to us.

Users will then close this window down and re-attempt authentication, which as Colligo have now detected requires conditional access will be re-directed to the device Microsoft Edge browser.

Requirements

  1. End user devices must be trusted and enrolled as required by the organisation
  2. Microsoft Edge browser must be deployed to the device
    1. Users must be authenticated to their work account in edge browser
  3. Colligo Add-In must be provisioned by the MS365 tenant admin to those end users who require it
    1. Microsoft currently take up to 12 hours to deploy add-ins to end users (as written when you deploy the add-in).
    2. Additionally there are sometimes Cache issues with Microsoft Outlook which require the application to be force restarted to pickup new changes.
  4. Once deployed, Colligo EMO add-in will show in the add-ins section of Outlook when viewing an email
  5. Your Customer Colligo account setting must have Conditional Access setting enabled as this is required to change the authentication flow to support Microsoft Trusted Application authentication using Edge browser. (please contact support or your account manager).

User Flow

Here are screenshots of the flow a user may experience if the device, Outlook or edge browser are not all already fully authenticated:

 First ensure that users are authenticated and all pre-requisites are deployed to their device.
Microsoft edge requires authentication itself with a work account.

(Screenshot of Microsoft Edge on device)
Once deployed, The Colligo Add-In will show when the triple 'dots' are tapped on a mobile Outlook client.
The Colligo Icon will then launch the Colligo SharePoint add-in for filing of the email content to SharePoint, Teams and OneDrive locations.
Users will first try to authenticate in the Outlook application provided web browser ( Microsoft Default ). There is no control Colligo have around this process.
As this is the first time using the Application and no Colligo record is created, the authentication will be blocked. This is recorded internally by Colligo and the next authentication will be processed in Microsoft Edge.

Users should back out and close this window as shown with the circled back button.
If the user now tries to open Colligo add-in again, it will re-direct to Microsoft Edge browser and perform the authentication in this trusted browser.
Once the authentication is complete, then the user should close and return to Outlook client and re-open the Colligo Add-In.




Due to security limits in the Microsoft Conditional Access authentication flow, it is not possible to detect a Microsoft block up-front and Colligo rely on Microsoft to inform us that the authentication has failed. Microsoft handle a Conditional Access Trusted Application block differently to an MFA or challenge response and their failure is final and does not return back to the Colligo Application.
This can result in an another authentication attempt being required.




Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.
Have documentation feedback? Send us an email