Where to configure mobile device requirement for Office 365, in Exchange Admin Center or Intune?
PIN and encryption requirements settings have changed with the new Exchange Admin Center. The portal no longer allows you to require mobile device encryption which has moved to PowerShell and Intune policies; you can still set a device lock pin in the Exchange Admin Center or in Intune of your license covers mobile device management. Encryption and other advanced requirements are now all PowerShell administered but the lock PIN can still be set on the portal or Intune.
There may be some differences in capabilities when requiring an unlock pin for mobile devices using Exchange Mobile Device Mailbox Policy versus an Intune Configuration Profile. Here are a few differences to keep in mind:
Exchange Mobile Device Mailbox Policy is primarily focused on managing email-related settings on mobile devices, while Intune Configuration Profiles provide a broader range of management capabilities, such as device compliance, app management, and endpoint security.
With an Intune Configuration Profile, you can require more advanced security measures such as biometric authentication, as well as more specific settings such as the use of a VPN.
Exchange Mobile Device Mailbox Policy is limited to managing mobile devices that are accessing Exchange Online, while Intune Configuration Profiles can manage a wider range of devices and platforms, including Windows, iOS, and Android.
Intune Configuration Profiles can also provide a more centralized management experience, allowing you to manage all of your organization’s devices and users from a single console.
Licensing requirements
Exchange Mobile Device Mailbox Policy is included with certain Microsoft 365 and Office 365 plans that include Exchange Online, such as Microsoft 365 Business Premium, Microsoft 365 E3, and Office 365 Enterprise E3.
On the other hand, Microsoft Intune is a separate subscription-based service that requires a license to use. Intune is available as a standalone service, or as part of the Microsoft Endpoint Manager suite, which also includes Configuration Manager and other management tools.
To use Intune to manage mobile device security, you must have a Microsoft Intune or Microsoft Endpoint Manager license, which is available as part of several Microsoft 365 and Office 365 plans, such as Microsoft 365 Business Premium, Microsoft 365 E3, and Office 365 Enterprise E3.
The setup: Exchange Online Admin Center
To set up a policy to require a pin for all mobile devices in your Office 365 and Exchange Online environment. Here are the steps to do so:
Sign in to the Microsoft 365 admin center with your administrator account.
Go to the “Exchange” section and click on “Mobile devices”.
Click on the “Mobile device mailbox policies” tab.
Click the “New” button to create a new mobile device mailbox policy.
In the “Name” field, enter a name for the policy.
Under “Password”, select “Require password”.
Choose the minimum password length, and select the number of minutes of inactivity before the device requires a password again.
Under “Password recovery”, select the recovery options you want to offer for forgotten passwords.
Click “Save” to create the policy.
Assign the policy to the desired mailboxes by selecting the mailbox, clicking “Edit”, and selecting the new policy under “Mobile Device Mailbox Policy”.
Once you have completed these steps, all mobile devices that connect to Exchange Online will be required to have a pin or password in order to access email and other resources. To assign the new policy navigate to https://admin.exchange.microsoft.com > Home > Mailboxes, open a mailbox properties > manage mobile devices
Mobile device mailbox policies can be created, modified, or deleted in the Exchange admin center (EAC) or Exchange Online PowerShell. If you create a policy in the EAC, you can configure only a subset of the available settings. You can configure the rest of the settings using Exchange Online PowerShell. For example, device encryption requirements have been moved to Exchange online PowerShell and can no longer be managed using the Exchange Online Admin portal.
Using Intune
the process would be slightly different if you have Microsoft Intune to manage your mobile devices instead of using the Exchange Online console. Here are the steps to require a pin for all mobile devices in Intune:
Sign in to the Microsoft Endpoint Manager admin center with your Intune administrator account.
Click on “Devices” in the left-hand navigation menu, then click on “Configuration profiles”.
Click on the “+ Create profile” button to create a new profile.
Choose a platform for the profile, such as iOS or Android.
Give the profile a name and description, then click “Next”.
On the “Settings” page, navigate to the “Device restriction” section.
Turn on the “Password” option, and choose the minimum password length, complexity requirements, and number of minutes of inactivity before the device requires a password or PIN again.
Click “Next” to continue.
The following device restrictions are available:
On the “Assignments” page, select the groups of users or devices that you want to apply the profile to.
Click “Next” to create the profile and apply it to the selected devices.
The new policy will appear in the Configuration Profiles list once you hit refresh.
Once you have completed these steps, all mobile devices managed by Intune will be required to have a pin or password in order to access email and other resources.
