Forum Discussion
Solved
Guidance with Outlook App Configuration Policies and Conf.Keys for Android
First off, I'm referring to the Configuration Key com.microsoft.intune.mam.AllowedAccountUPNs, documented here https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-...
FYI in case anyone else gets in their own way like I do/did...
The answer is that we still use "valueString" as the type, but then we separate UPNs in our list using semicolon instead of comma. I found this info here:
Specifically:
Allow only configured organization accounts in multi-identity apps
As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:
Key: com.microsoft.intune.mam.AllowedAccountUPNsValues:
- One or more ; delimited UPNs.
- Only account(s) allowed are the managed user account(s) defined by this key.
- For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.
"Only account(s) allowed are the managed user account(s) defined by this key." is oddly-written but oh well.
FYI in case anyone else gets in their own way like I do/did...
The answer is that we still use "valueString" as the type, but then we separate UPNs in our list using semicolon instead of comma. I found this info here:
Specifically:
Allow only configured organization accounts in multi-identity apps
As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:
Key: com.microsoft.intune.mam.AllowedAccountUPNs
Values:
- One or more ; delimited UPNs.
- Only account(s) allowed are the managed user account(s) defined by this key.
- For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.
"Only account(s) allowed are the managed user account(s) defined by this key." is oddly-written but oh well.
Hi Jeremy,
i've tried to enter the value for the key com.microsoft.intune.mam.AllowedAccountUPNs as described: {{userprincipalname}} , but i get the following error message:
The other keys / values:
Do you have any idea about this?
Regards,
Hannes
- Based in the error, it seems like it's saying you shouldn't be using the key at all. In the Configuration Designer, do you see work accounts only mode being turned on? I haven't seen the error you shared but I'm wondering if you have to use another key to make sure he feature is in, before you can supply the allowed UPNs list
FYI, I've been relying on full access permissions and the "add shared or delegated mailboxes" feature. So I just leave the default value for that key when I turn in on work accounts only mode.In the Configuration Designer, do you see work accounts only mode being turned on?
Can you tell me where i can find the Configuration Designer?
Is it the "App configuration policies"?
I have only created an app protection policy and an app configuration policy for Outlook app
JohannesW60 In the Properties on your App Configuration Policy for Outlook, that is where I meant. When you edit the Settings, you can choose to use Configuration Designer to see the more GUI-friendly options:
If you change yours to "Use Configuration Designer", do you see "Allow only work or school accounts" setting set to "Enabled"?
Note, when you use Configuration Designer and enable work accounts only mode, it then exposes the JSON key/value pair anyway for the allowed UPNs setting:
So you can then just edit that one key from there, vs using the JSON editor for all settings. You might already be doing this, I just put the screenshots to clarify what is was after. Hopefully this does help.
