Deploying Outlook for iOS and Android app configuration settings in Exchange Online
Summary: How to customize the behavior of Outlook for iOS and Android in your Exchange organization.
Outlook for iOS and Android supports app settings that allow unified endpoint management (UEM) administrators (using tools such as Microsoft Intune) and Microsoft 365 or Office 365 administrators to customize the behavior of the app.
App configuration can be delivered either through the mobile device management OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android or through the Intune App Protection Policy (APP) channel. Outlook for iOS and Android supports the following configuration scenarios:
- Account setup configuration
- Organization allowed accounts mode
- General app configuration settings
- S/MIME settings
- Data protection settings
Important
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise, and Outlook for Android must be deployed via the managed Google Play store. For more information, see Set up enrollment of Android work profile devices and Add app configuration policies for managed Android devices.
Each configuration scenario highlights its specific requirements for example, whether the configuration scenario requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies. The following flowchart outlines which channel needs to be used for the above configuration scenarios:
Note
With Microsoft Intune, app configuration delivered through the mobile device management OS channel is referred to as a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy (APP) channel is referred to as a Managed Apps App Configuration Policy.
Account configuration scenarios
Outlook for iOS and Android offers administrators the following app configuration scenarios with enrolled devices:
- Account setup configuration
- Organization allowed accounts mode
These configuration scenarios only work with enrolled devices. However, any UEM provider is supported. If you aren't using Microsoft Intune, you need to refer your UEM documentation on how to deploy these settings. For more information on the configuration keys, see Configuration keys.
Account setup configuration scenario
Outlook for iOS and Android offers administrators the ability to "push" account configurations to their Office 365 and on-premises users leveraging hybrid Modern Authentication users. For more information on account setup configuration, see Account setup with modern authentication in Exchange Online.
Organization allowed accounts mode scenario
Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts. For more information on organization allowed accounts mode, see Account setup with modern authentication in Exchange Online.
General app configuration scenarios
Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. This capability is offered for both enrolled devices via any UEM provider and for devices that aren't enrolled when Outlook for iOS and Android has an Intune App Protection Policy applied.
Note
If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a Managed Apps device enrollment model. This deployment ensures the App Configuration Policy is deployed to both enrolled devices and unenrolled devices.
Outlook supports the following settings for configuration:
Setting | Default app behavior | Notes | Recommended configuration |
---|---|---|---|
Open Links in Edge | On | Users will be prompted to open links in Edge. Admins now have the option to disable this feature for their company. | App Default |
Focused Inbox | On | Focused Inbox separates your inbox into two tabs, Focused and Other. Your most important emails are on the Focused tab while the rest remains easily accessible (but out of the way) on the Other tab. | App default |
Require Biometrics to access the app | Off | Biometrics, such as TouchID or FaceID, can be required for users to access the app on their device. When required, biometrics is used in addition to the authentication method selected in this profile. This setting is only available for Outlook for iOS. If using App Protection Policies, Microsoft recommends disabling this setting to prevent dual access prompts. |
Disable |
Save (or Sync) Contacts | Off | Saving contacts to the mobile device's native address book allows new calls and text messages to be linked with the user's existing Outlook contacts. The user must grant access to the native Contacts app for contact synchronization to occur. |
Enable |
Sync Calendars | Off | Outlook for Android provides users the ability to synchronize Outlook calendar data with the native Calendar app. The user must grant access to the native Calendar app for calendar synchronization to occur. This feature is only supported with Outlook for Android. |
App default |
External Recipients MailTip | On | If the sender adds a recipient that's external or adds a distribution group that contains external recipients, the External Recipients MailTip is displayed. This MailTip informs senders if a message they're composing will leave the organization, helping them make the correct decisions about wording, tone, and content. Exchange Online MailTipsExternalRecipientsTipsEnabled parameter must be set to $true for Outlook for iOS and Android to see the External Recipients MailTip. For more information, see MailTips. In Outlook for iOS and Android, to set all the internal domains for use when the MailTip service for external recipients is unavailable (as user is offline or due to low connectivity), see External recipients MailTip offline domain configuration. |
App default |
Block external images | Off | When Block external images is enabled, the app prevents the download of images hosted on the Internet, which are embedded in the message body by default (The user can still choose to download the images.). | Enable |
Default app signature | On | Indicates whether the app uses its default signature, "Get Outlook for [OS]", during message composition, if a custom signature isn't defined. Users can add their own signatures even when the default signature is disabled. | App default |
Suggested replies | On | By default, Outlook for iOS and Android suggests replies in the quick reply compose window. If you select a suggested reply, you can edit the reply before sending it. | App default |
Recommendations feed | On | The Recommendations feed is powered by Microsoft Graph and provides a feed of your organization's Office files connected to the people in your organization. This feature is located in the Recommended section within the Search experience and only shows documents to which the user has access. Recommendations based on insights from other users in the organization can be controlled through the itemInsights setting. | App default |
Organize mail by thread | On | By default, Outlook for iOS and Android collates related emails into a single threaded conversation view. | App default |
Play My Emails | On | By default, Play My Emails is promoted to eligible users via a banner in the inbox. | App default |
Text Predictions | On | By default, Outlook for iOS and Android can suggest words and phrases as you compose messages. | App default |
Themes | On | By default, Outlook for iOS and Android supports visual themes that can be enabled for certain beliefs or events. | App default |
Louder Mandatory labeling | Off | Organizations have mandatory labeling enabled without default labeling, and would like to have the label selection first before going to compose the email. Then when the users select Send, the email could just be sent without any forgotten labeling pop ups. Outlook mobile will introduce a new MDM setting (com.microsoft.outlook.Mail.LouderMandatoryLabelEnabled) to allow admins to enable this louder mandatory configuration for Outlook mobile clients (iOS and Android) specifically. | App default |
Settings that are security-related in nature have an additional option, Allow user to change setting. For these settings (Save Contacts, Block external images, and Require Biometrics to access the app), organizations can prevent the user from changing the app's configuration. The organization's configuration can't be overridden.
Allow user to change setting doesn't change the app's behavior. For example, if the admin enables Block external images and prevents a user change, then by default, external images aren't downloaded in messages; however, the user can manually download the images for that message body.
The following conditions describe Outlook's behavior when implementing various app configurations:
- If the admin configures a setting with its default value, and the app is configured with the default value, then the admin's configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on, the default value is also on, so Outlook's configuration doesn't change.
- If the admin configures a setting with the non-default value and the app is configured with the default value, then the admin's configuration is applied. For example, the admin sets Focused Inbox=off, but app default value is on, so Outlook's configuration for Focused Inbox is off.
- If the user has configured a non-default value, but the admin has configured a default value and allows user choice, then Outlook retains the user's configured value. For example, the user has enabled contact synchronization, but the admin sets Save Contacts=off and allows user choice, so Outlook keeps contact synchronization on and doesn't break caller-ID for user.
- If the admin disables user choice, Outlook always enforces the admin-defined configuration, regardless of the user's configuration or default app configuration. For example, the user has enabled contact synchronization, but the admin sets Save Contacts=off and disables user choice, so contact synchronization gets disabled and the user is prevented from enabling it.
- After the app configuration is applied, if the user changes the setting value to not match the admin desired value (and user choice is allowed), then the user's configuration is retained. For example, Block external images is off by default, admin set Block external images=on, but afterwards, user changes Block external images back to off. In this scenario, Block external images remains off the next time the policy is applied.
Users are alerted to configuration changes via a notification toast in the app:
This notification toast will automatically dismiss after 10 seconds. There are two scenarios where this notification toast won't appear:
- If the app has previously shown the notification in the last hour.
- If the app has been installed in less than 24 hours.
External recipients MailTip offline domain configuration
In Outlook for iOS and Android, when the MailTip service is unavailable for external recipients as the user is offline or due to low connectivity, use the following MDM app configuration to set all the internal domains of the tenant:
- Key:
com.microsoft.outlook.Mail.InternalDomains
. - Value:
- A list of domains split by a comma (
,
) in string type. - You only need to add all your root domains. For example, if you have
microsoft.com
domain in your config,service.microsoft.com
,exchange.microsoft.com
, andhr.service.microsoft.com
are all considered as internal recipients. - All domains aren't case sensitive.
- A list of domains split by a comma (
- Config example:
microsoft.com, contoso.onmicrosoft.com, hcdhc.net
Note
- For UOPCC accounts, the external recipient MailTips are enabled only when the internal domains MDM configuration is set (even if the value is empty).
- If empty string is set in the app configuration, the recipient is still considered as an internal recipient when its domain is same as the sender's domain, or it is a sub-domain of the sender's domain.
Save Contacts
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user interaction: the user needs to grant Outlook permissions to access the native Contacts app and the data stored within. If the user doesn't grant access, then contact synchronization can't be enabled.
Note
With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile; for more information on how to assign permissions, see Add app configuration policies for managed Android devices. When assigning default permissions, it's important to understand which Android Enterprise deployment models are in use, as the permissions may grant access to personal data.
When enabling Outlook for Android's Save Contacts within Android Enterprise's work profile, Outlook for Android is limited in only being able to access the native Contacts app within the work profile context; this limitation in accessibility provides a clear separation between work and personal profile data. However, Android Enterprise allows for the dialer and messaging apps within the personal profile to access the local contacts within the work profile. This behavior is enabled by default, but can be controlled via device restrictions; for more information, see Android Enterprise device settings to allow or restrict features using Intune. It's possible that some dialer or messaging apps, whether pre-installed by the device manufacturer or installed from the Play Store, don't properly support this capability.
The workflow for enabling Save Contacts is the same for new accounts and existing accounts.
The user is notified that the administrator has enabled contact synchronization. In Outlook for iOS, the notification occurs within the app, whereas in Outlook for Android, a persistent notification is delivered via the Android notification center.
If the user taps on the notification, the user is prompted to grant access:
If the user allows Outlook to access the native Contacts app, access is granted, and contact synchronization is enabled. If the user denies Outlook access to the native Contacts app, then the user is prompted to go into the OS settings and enable contact synchronization:
In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt, the user may later enable access by navigating to the account configuration within Outlook and tapping Open Settings:
Calendar Sync
Note
Calendar sync support will begin rolling out in October 2020.
Calendar sync enables users to synchronize their Outlook for Android calendar data with the native Android Calendar app. Calendar sync is off by default and requires user participation. ] Like Save Contacts, the Sync Calendars setting is another special case scenario because this setting requires user interaction: the user needs to grant Outlook permissions to access the native Calendar app and the data stored within. If the user doesn't grant access, then calendar synchronization can't be enabled.
Note
With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you can define that Outlook for Android is granted READ_CALENDAR and WRITE_CALENDAR within the work profile; for more information on how to assign permissions, see Add app configuration policies for managed Android devices. When assigning default permissions, it's important to understand which Android Enterprise deployment models are in use, as the permissions may grant access to personal data.
When enabling Outlook for Android's Sync Calendar within Android Enterprise's work profile, Outlook for Android is limited in only being able to access the native Calendar app within the work profile context; this limitation in accessibility provides a clear separation between work and personal profile data.
S/MIME scenarios
On enrolled devices, Outlook for iOS and Android supports automated certificate delivery. Outlook for iOS and Android also supports app configuration settings that enable or disable S/MIME in the app, as well as the user's ability to change the setting. For more information on how to deploy these settings via Microsoft Intune, see Understanding S/MIME. For more information on the configuration keys, see Configuration keys.
Data protection scenarios
Outlook for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Intune with an Intune App Protection Policy applied:
- Managing the use of wearable technology
- Managing sensitive data in mail and calendar reminder notifications
- Managing the contact fields synchronized to the native contacts app
- Managing calendar sync availability
- Managing add-ins availability
These settings can be deployed to the app regardless of device enrollment status. For more information on the configuration keys, see Configuration keys.
Configure Wearables for Outlook for iOS and Android
By default, Outlook for iOS and Android supports wearable technology, allowing the user to receive message notifications and event reminders, and the ability to interact with messages and view daily calendars. Organizations that want to disable the ability to access corporate data on wearables can block wearables with an App Configuration Policy.
Configure Notifications for Outlook for iOS and Android
Mobile app notifications are critical in alerting users of new content or reminding them to act. Users interact with these notifications via the lock screen and in the operating system's notification center. Notifications often include detailed information, which can be sensitive in nature. This information, unfortunately, can inadvertently be leaked to casual observers.
Outlook for iOS and Android has designed its notifications to enable users to triage email and alert users to upcoming meetings, including incorporating Time to Leave suggestions. Mail notifications include the sender's address, the subject of the message, and a short message preview of the message body. Calendar reminders include the subject, location, and start time of the meeting.
Recognizing that these notifications may include sensitive data, organizations can use an Intune App Protection Policy setting, Org Data Notifications to remove the sensitive data. As this is an App Protection Policy setting, it applies on all devices (phones, tablets, and wearables) of the user for the apps that support the setting. For more information on the setting, see iOS App Protection Policy settings and Android App Protection Policy settings.
In addition to the App Protection Policy setting, Outlook for iOS and Android has a data protection App Configuration Policy setting, Calendar Notifications that provides additional flexibility with calendar notifications – organizations can block sensitive information in mail notifications, while allowing sensitive information in calendar notifications. After all, users might just need to know where they're going and when they should leave, at a glance.
The following table outlines the notification experience in Outlook for iOS and Android based on the combination of the App Protection and App Configuration policy settings:
Org Data Notifications value | Calendar Notifications value | Notification behavior |
---|---|---|
Allow (default) | Not Configured (default) | Default client behavior where sensitive data is exposed in mail and calendar notifications |
Block | Not Configured | Sensitive data is exposed in mail and calendar notifications as Outlook ignores the block setting |
Block Org Data | Not Configured | Sensitive data isn't available in mail or calendar notifications |
Block Org Data | Allowed | Sensitive data isn't available in mail notifications Calendar notifications expose sensitive data |
Configure Contact Field Sync to native Contacts for Outlook for iOS and Android
The settings allow organizations to control the contact fields that synchronize between Outlook on iOS and Android and the native Contacts apps.
Note
Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app that is restricted (such as the Notes field), then that data won't synchronize back into Outlook for Android.
Configure Calendar Sync availability with Outlook for Android
Calendar sync enables users to synchronize their Outlook for Android calendar data with the native Android Calendar app. Organizations can control whether calendar sync is available to the work or school account with the following methods:
- With Intune App Protection Policies, the setting Sync policy managed app data with native apps or add-ins defines whether Save Contacts, Sync Calendars, and Add-ins are available for use within the work or school account. By default, this setting is set to Allow. If this setting is set to Block, Save Contacts, Sync Calendars, and Add-ins are disabled for the work or school account and their associated App Configuration Policy settings are ignored.
- When the Intune App Protection Policy setting Sync policy managed app data with native apps or add-ins is set to Allow, organizations can also choose to define the availability of Sync Calendars through a managed apps App Configuration Policy. This flexibility allows for feature granularity control from a data protection perspective; for example, organizations can enable Save Contacts (by setting Sync policy managed app data with native apps or add-ins to Allow) but disable Sync Calendars (by setting the Allow Calendar Sync setting within a managed apps App Configuration Policy to Off).
- Finally, if organizations allow the availability of Sync Calendars, through an App Configuration Policy setting Sync Calendars, organizations can define the default sync state of calendar sync. This setting removes the need for the user to enable calendar synchronization manually.
Configure Add-ins availability with Outlook for iOS and Android
Users can synchronize work or school account data into other services using add-ins. The availability of add-ins within the work or school account can be controlled with the following methods:
- With Intune App Protection Policies, the setting Sync policy managed app data with native apps or add-ins defines whether Save Contacts, Sync Calendars, and Add-ins are available for use within the work or school account. By default, this setting is set to Allow. If this setting is set to Block, Save Contacts, Sync Calendars, and Add-ins are disabled for the work or school account and their associated App Configuration Policy settings are ignored.
- When the Intune App Protection Policy setting Sync policy managed app data with native apps or add-ins is set to Allow, organizations can also choose to define the availability of Add-ins through a managed apps App Configuration Policy. This flexibility allows for feature granularity control from a data protection perspective; for example, organizations can enable Save Contacts (by setting Sync policy managed app data with native apps to Allow) but disable Add-ins (by setting the Allow Add-ins setting within a managed apps App Configuration Policy to Off).
Important
When configuring add-ins for your users, issues can occur when add-in policies are set in both Microsoft Intune and the Microsoft 365 Admin Center. We recommend choosing between add-in policy in Microsoft Intune or the Microsoft 365 Admin Center but not both at the same time. For granular add-in control, the Microsoft 365 Admin Center provides more specific configurations than Microsoft Intune, so you can choose which solution best fits your organization needs.
Deploying configuration scenarios with Microsoft Intune for enrolled devices
Microsoft Intune enables administrators to easily deploy these settings to Outlook for iOS and Android via App Configuration Policies.
The following steps allow you to create an app configuration policy. After the configuration policy is created, you can assign its settings to groups of users.
Note
Intune notifies the enrolled device to check in with the Intune service for policy changes. The notification times vary, including immediately up to a few hours. For more information, see Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune.
Important
When deploying app configuration policies to managed devices, issues can occur when multiple policies have different values for the same configuration key and are targeted for the same app and user. These issues are due to the lack of a conflict resolution mechanism for resolving the differing values. You can prevent these issues by ensuring that only a single app configuration policy for managed devices is defined and targeted for the same app and user.
Create a managed devices app configuration policy for Outlook for iOS and Android
Log in to Microsoft Intune admin center.
Select Apps and then select App configuration policies.
On the App Configuration policies blade, choose Add and select Managed devices to start the app configuration policy creation flow.
On the Basics section, enter a Name, and optional Description, for the app configuration settings.
For Platform, choose either iOS/iPadOS or Android Enterprise.
If Android Enterprise is selected as the platform, for Profile Type, choose All Profile Types.
For Targeted app, choose Select app, and then, on the Associated app blade, choose Microsoft Outlook. Select OK.
Note
If Outlook isn't listed as an available app, then you must add it by following the instructions in Assign apps to Android work profile devices with Intune and Add iOS store apps to Microsoft Intune.
Select Next to complete the basic settings of the app configuration policy.
On the Settings section, select Use configuration designer for the Configuration settings format.
If you want to deploy account setup configuration, select Yes for Configure email account settings and configure appropriately:
Note
If an App Protection Policy is targeted to the users, the recommendation is to deploy the general app configuration settings in a Managed Apps device enrollment model instead of using Managed devices. This method ensures the App Configuration Policy is deployed to both enrolled devices and unenrolled devices.
- For Authentication type, select Modern authentication. This setting is required for Microsoft 365 or Office 365 accounts or on-premises accounts using hybrid modern authentication.
- For Username attribute from Microsoft Entra ID, select User Principal Name.
- For Email address attribute from Microsoft Entra ID, select Primary SMTP Address.
- If you want to configure Outlook for iOS and Android such that only the work or school account can be used, select Require for Allow only work or school accounts. This configuration will only allow a single corporate account to be added to Outlook for iOS and Android.
If you want to deploy general app configuration settings, configure the desired settings accordingly:
For Focused Inbox, choose from the available options: Not configured (default), On (app default), and Off.
For Require Biometrics to access the app, choose from the available options: Not configured (default), On, and Off (app default). When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value. This setting is only available in Outlook for iOS.
Important
If the account is protected by an Intune App Protection Policy that requires a PIN to access the protected account, then the Require Biometrics to access the app setting should be disabled, otherwise the user is prompted with multiple authentication prompts when accessing the app.
For Save Contacts, choose from the available options: Not configured (default), On, and Off (app default). When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For Suggested Replies, choose from the available options: Not configured (default), On (app default), and Off. When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For Recommendations feed, choose from the available options: Not configured (default), On (app default), and Off.
For External recipients MailTip, choose from the available options: Not configured (default), On (app default), and Off.
For Default app signature, choose from the available options: Not configured (default), On (app default), and Off.
For Block external images, choose from the available options: Not configured (default), On, and Off (app default). When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For Organize mail by thread, choose from the available options: Not configured (default), On (app default), and Off.
For Play My Emails, choose from the available options: Not configured (default), On (app default), and Off.
For Themes, choose from the available options: Not configured (default), On (app default), and Off.
For Sync Calendars, choose from the available options: Not configured (default), On (app default), and Off. When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value. This feature is only available in Outlook for Android.
For Text Predictions, choose from the available options: Not configured (default), On (app default), and Off. When selecting On or Off, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
If you want to configure S/MIME settings, see Outlook for iOS automated certificate delivery or Outlook for Android automated certificate delivery.
When you're finished selecting settings, select Next.
On the Assignments section, select Select groups to include. Select the Microsoft Entra group to which you want to assign the app configuration policy, and then select Select.
When you're finished with assignments, select Next.
On the Review + Create section, review the settings configured and select Create.
The newly created configuration policy is displayed on the App configuration blade.
Note
For Managed devices, you will need to create a separate app configuration policy for each platform. Also, Outlook will need to be installed from the Company Portal for the configuration settings to take effect.
Deploying configuration scenarios with Microsoft Intune for unenrolled devices
If you're using Microsoft Intune as your mobile app management provider, the following steps allow you to create a managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.
Note
Microsoft Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the Intune App Configuration Policy check-in interval is set to 720 minutes.
Create a managed apps app configuration policy for Outlook for iOS and Android
Log in to Microsoft Intune admin center.
Select Apps and then select App configuration policies.
On the App Configuration policies blade, choose Add and select Managed apps.
On the Basics section, enter a Name, and optional Description, for the app configuration settings.
For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Outlook by selecting both the iOS and Android platform apps. Click Select to save the selected public apps.
Click Next to complete the basic settings of the app configuration policy.
On the Settings section, expand the Outlook configuration settings.
If you want to deploy general app configuration settings, configure the desired settings accordingly:
For Focused Inbox, choose from the available options: Not configured (default), Yes (app default), and No.
For Require Biometrics to access the app, choose from the available options: Not configured (default), Yes, and No (app default). When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value. This setting is only available in Outlook for iOS.
Important
If the account is protected by an Intune App Protection Policy that requires a PIN to access the protected account, then the Require Biometrics to access the app setting should be disabled, otherwise the user is prompted with multiple authentication prompts when accessing the app.
For Save Contacts, choose from the available options: Not configured (default), Yes, and No (app default). When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For External recipients MailTip, choose from the available options: Not configured (default), Yes (app default), and No.
For Block external images, choose from the available options: Not configured (default), Yes, and No (app default). When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For Default app signature, choose from the available options: Not configured (default), Yes (app default), and No.
For Suggested Replies, choose from the available options: Not configured (default), Yes (app default), and No. When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
For Organize mail by thread, choose from the available options: Not configured (default), Yes (app default), and No.
For Recommendations feed, choose from the available options: Not configured (default), Yes (app default), and No.
For Play My Emails, choose from the available options: Not configured (default), Yes (app default), and No.
For Sync Calendars, choose from the available options: Not configured (default), Yes (app default), and No. When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value. This feature is available only in Outlook for Android.
For Text Predictions, choose from the available options: Not configured (default), Yes (app default), and No. When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
If you want to manage the data protection settings, configure the desired settings accordingly:
- For Org data on wearables, choose from the available options: Not configured (default), Yes (app default), and No.
- For Calendar Notifications, choose from the available options: Not configured (default) and Allowed. By default, calendar notifications are allowed within the app and display sensitive information. Allowed only takes effect when the App Protection Policy setting Org Data Notifications is set to Block org data.
- For Allow Add-ins, choose from the available options: Not configured (default), Yes (app default), and No. For more information on the setting choices, see Add-ins.
- For Allow Calendar Sync, choose from the available options: Not configured (default), Yes (app default), and No. For more information on the setting choices, see Calendar Sync.
- If you want to manage which contact fields sync with the native contacts apps, configure the desired Sync contact fields to native contacts app configuration settings accordingly. For each contact field setting, choose from the available options: Not configured (default), Yes (app default), No.
If you want to manage the app's S/MIME configuration, configure the desired settings accordingly:
- For Enable S/MIME, choose from the available options: Not configured (default), Yes, and No (app default). When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
Important
S/MIME certificates must be available within Outlook for iOS and Android for the user sign or encrypt messages. For more information, see S/MIME for Outlook for iOS and Android.
- Choose whether to Encrypt all emails by selecting Yes or No. When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
- Choose whether to Sign all emails by selecting Yes or No. When selecting Yes or No, administrators can choose to allow the user to change the app setting's value. Select Yes (app default) to allow the user to change the setting or select No if you want to prevent the user from changing the setting's value.
- If needed, deploy a LDAP URL for recipient certificate lookup. For more information on the URL format, see LDAP support for certificate lookup.
When you're finished configuring the settings, select Next.
On the Assignments section, choose Select groups to include. Select the Microsoft Entra group to which you want to assign the app configuration policy, and then select Select.
When you're finished with the assignments, select Next.
On the Create app configuration policy Review + Create blade, review the settings configured and select Create.
The newly created configuration policy is displayed on the App configuration blade.
Configuration keys
The following sections outline the app configuration keys and their supported values. Configuration keys identified with the Managed apps device enrollment type are delivered through the App Protection Policy channel. Configuration keys identified with the Managed devices device enrollment type are delivered through the mobile device management OS channel. If a configuration key is listed with both device enrollment types, the key can be delivered through either channel; for more information, see General app configuration scenarios.
Important
App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.
iOS devices and third-party unified endpoint management solutions
If the Managed devices device enrollment type configuration keys are deployed with a third-party UEM provider, then the following additional key must also be delivered for iOS devices:
key = IntuneMAMUPN, value = username@company.com
The exact syntax of the key/value pair may differ based on the third-party UEM provider used. The following table shows examples of some third-party UEM providers and the exact values for the key/value pair:
Third-party UEM provider | Configuration Key | Value Type | Configuration Value |
---|---|---|---|
Microsoft Intune | IntuneMAMUPN | String | {{UserPrincipalName}} |
Workspace ONE | IntuneMAMUPN | String | {UserPrincipalName} |
MobileIron | IntuneMAMUPN | String | ${userUPN} or ${userEmailAddress} |
Citrix Endpoint Management | IntuneMAMUPN | String | ${user.userprincipalname} |
ManageEngine Mobile Device Manager | IntuneMAMUPN | String | %upn% |
Account setup configuration
Outlook for iOS and Android offers administrators the ability to "push" account configurations to their Microsoft 365 and Office 365 users. For more information on account setup configuration, see Account setup with modern authentication in Exchange Online.
Key | Value | Device Enrollment Type |
---|---|---|
com.microsoft.outlook.Settings.OpenLinks.UseSystemDefaultBrowser | This new app config policy disables Open Links feature and always uses system default browser. | Managed devices |
com.microsoft.outlook.Settings.OpenLinks.UserChangeAllowed | This new app config policy hides settings page for Open Links. | Managed devices |
com.microsoft.outlook.EmailProfile.EmailAddress | This key specifies the email address to be used for sending and receiving mail. Value type: String Accepted values: Email address Default if not specified: <blank> Required: Yes Example: user@companyname.com |
Managed devices |
com.microsoft.outlook.EmailProfile.EmailUPN | This key specifies the User Principal Name or username for the email profile that is used to authenticate the account. Value type: String Accepted values: UPN Address or username Default if not specified: <blank> Required: Yes Example: userupn@companyname.com |
Managed devices |
com.microsoft.outlook.EmailProfile.AccountType | This key specifies the account type being configured based on the authentication model. Value type: String Accepted values: ModernAuth Required: Yes Example: ModernAuth |
Managed devices |
Organization allowed accounts mode settings
Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to only corporate accounts. For more information on organization allowed accounts mode, see Account setup with modern authentication in Exchange Online.
Key | Value | Platform | Device Enrollment Type |
---|---|---|---|
IntuneMAMAllowedAccountsOnly | This key specifies whether organization allowed account mode is active. Value type: String Accepted values: Enabled, Disabled Required: Yes Value: Enabled |
iOS | Managed devices |
IntuneMAMUPN | This key specifies the User Principal Name for the account. Value type: String Accepted values: UPN Address Required: Yes Example: userupn@companyname.com |
iOS | Managed devices |
com.microsoft.intune.mam.AllowedAccountUPNs | This key specifies the UPNs allowed for organization allowed account mode. Accepted values: UPN Address Required: Yes Example: userupn@companyname.com |
Android | Managed devices |
General app configuration settings
Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings.
Key | Value | Device Enrollment Type |
---|---|---|
com.microsoft.outlook.Mail.FocusedInbox | This key specifies whether Focused Inbox is enabled. Setting the value to false will disable Focused Inbox. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Auth.Biometric | This key specifies whether FaceID or TouchID is required to access the app. Setting the value to true will enable biometric access. This key is only supported with Outlook for iOS. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Auth.Biometric.UserChangeAllowed | This key specifies whether the biometric setting can be changed by the end user. This key is only supported with Outlook for iOS. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Contacts.LocalSyncEnabled | By default, Outlook doesn't sync contact data with the native Contacts app. This key defines the default sync state behavior. Setting the value to true will enable contact sync. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Contacts.LocalSyncEnabled.UserChangeAllowed | This key specifies whether the contact sync state can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.ExternalRecipientsToolTipEnabled | This key specifies whether the External Recipients MailTip is enabled. Setting the value to false will disable the MailTip. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.BlockExternalImagesEnabled | This key specifies whether external images are blocked by default. Setting the value to true will enable blocking external images. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.BlockExternalImagesEnabled.UserChangeAllowed | This key specifies whether the Block External Images setting can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.DefaultSignatureEnabled | This key specifies whether the app uses its default signature. Setting the value to false will disable the app's default signature. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SuggestedRepliesEnabled | This key specifies whether the app enables Suggested Replies. Setting the value to false will disable the app's ability to suggest replies. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SuggestedRepliesEnabled.UserChangeAllowed | This key specifies whether the Suggested Replies setting can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.OfficeFeedEnabled | This key specifies whether the app enables the Microsoft Feed which shows the user's and the user's coworkers Office files and insights from Microsoft 365. Setting the value to false will disable the Microsoft Feed. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.OrganizeByThreadEnabled | This key specifies whether the app enables Organize by thread view. Setting the value to false will disable mail threaded conversation view. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.PlayMyEmailsEnabled | This key specifies whether the Play My Emails feature is promoted to eligible users via a banner in the inbox. When set to Off, this feature won't be promoted to eligible users in the app. Users can choose to manually enable Play My Emails from within the app, even when this feature is set to Off. When set as not configured, the default app setting is On and the feature will be promoted to eligible users. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Calendar.NativeSyncEnabled | By default, Outlook doesn't sync calendar data to the native Calendar app. This key defines the default sync state behavior. Setting the value to true will enable calendar sync. This key is only supported with Outlook for Android. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Calendar.NativeSyncEnabled.UserChangeAllowed | This key specifies whether the calendar sync state can be changed by the end user. This key is only supported with Outlook for Android. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.TextPredictionsEnabled | Outlook can suggest words and phrases as you compose messages. When set as not configured, the default app setting is set to On. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.TextPredictionsEnabled.UserChangeAllowed | This key specifies whether Smart Compose can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Settings.ThemesEnabled | Outlook supports custom visual themes. When set as not configured, the default app setting is set to On. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.BlockSharing | This key specifies whether the app enables the block sharing experience. Setting the value to true will block sharing of the inbox in the app. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Calendar.BlockSharing | This key specifies whether the app enables the block sharing experience. Setting the value to true will block sharing of the calendar in the app. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
S/MIME settings
Outlook for iOS offers administrators the ability to customize the default S/MIME configuration in Outlook for iOS and Android.
Key | Value | Device Enrollment Type |
---|---|---|
com.microsoft.outlook.Mail.SMIMEEnabled | This key specifies whether the app enables S/MIME. Use of S/MIME requires certificates available to Outlook for iOS and Android. Setting the value to true will enable S/MIME support in the app. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.UserChangeAllowed | This key specifies whether the S/MIME setting can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.EncryptAllMail | This key specifies whether S/MIME encryption is required to send messages. Use of S/MIME requires certificates available to Outlook for iOS and Android. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.EncryptAllMail.UserChangeAllowed | This key specifies whether the S/MIME setting can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.SignAllMail | This key specifies whether S/MIME signing is required to send messages. Use of S/MIME requires certificates available to Outlook for iOS and Android. Value type: Boolean Accepted values: true, false Default if not specified: false Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.SignAllMail.UserChangeAllowed | This key specifies whether the S/MIME setting can be changed by the end user. Value type: Boolean Accepted values: true, false Default if not specified: true Required: No Example: false |
Managed Devices, Managed Apps |
com.microsoft.outlook.Mail.SMIMEEnabled.LDAPHostName | This key specifies the LDAP directory endpoint to query for certificates. Value type: String Accepted values: ldap://domainname:protocol, ldaps://domainname:protocol, domainname:protocol Default if not specified: N/A Required: No Example: ldap://contoso.com ldaps://contoso.com contoso.com ldaps://contoso.com:636 contoso.com:636 |
Managed Devices, Managed Apps |
Data protection settings
Outlook for iOS and Android offers administrators additional data protection capabilities when Outlook is managed by Microsoft Intune and has an Intune App Protection Policy.
Key | Value | Device Enrollment Type |
---|---|---|
com.microsoft.outlook.Calendar.NativeSyncAvailable.IntuneMAMOnly | By default, an App Protection Policy allows for calendar synchronization with the native Calendar app but can be used to block calendar sync availability with the Sync policy managed app data with native apps or add-ins setting. Configuring this setting to false will block calendar synchronization when the App Protection Policy setting is set to Allowed. This key is only supported with Outlook for Android. Accepted values: true, false Default if not specified: No value specified Example: false |
Managed apps |
com.microsoft.outlook.AddinsAvailable.IntuneMAMOnly | By default, an App Protection Policy allows users to utilize third-party add-ins but can be used to block add-ins with the Sync policy managed app data with native apps or add-ins setting. Configuring this setting to false will block add-ins when the App Protection Policy setting is set to Allowed. Accepted values: true, false Default if not specified: No value specified Example: false |
Managed apps |
com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly | (1) If APP NotificationRestrictions is set to BlockOrgData, only then check for com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly: If the app config value is set to null (doesn't exist), all sensitive data properties are removed. If the app config value is set to 0, all sensitive data are exposed. If the app config value is set to 1, only the subject (and meeting time) is exposed. (2) If APP NotificationRestrictions is set to Allow or NotificationRestrictions is set to Block, then all sensitive data properties are exposed in calendar reminder notifications. Important: To set the com.microsoft.outlook.Calendar.Notifications.IntuneMAMOnly value to 1, admins must create a policy using Intune scripts to inject a value of 1 until the MEM portal is able to be updated. |
Managed apps |
com.microsoft.intune.mam.areWearablesAllowed | This key specifies if Outlook data can be synchronized to a wearable device. Setting the value to false disables wearable synchronization. Accepted values: true, false Default if not specified: true Example: false |
Managed apps |
com.microsoft.outlook.ContactSync.AddressAllowed | This key specifies if the contact's address should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.BirthdayAllowed | This value specifies if the contact's birthday should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.CompanyAllowed | This key specifies if the contact's company name should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.DepartmentAllowed | This key specifies if the contact's department should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.EmailAllowed | This key specifies if the contact's email address should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.InstantMessageAllowed | This key specifies if the contact's instant messaging address should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.JobTitleAllowed | This key specifies if the contact's job title should be synchronized to native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.NicknameAllowed | This key specifies if the contact's nickname should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.NotesAllowed | This key specifies if the contact's notes should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneHomeAllowed | This key specifies if the contact's home phone number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneHomeFaxAllowed | This key specifies if the contact's home fax number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneMobileAllowed | This key specifies if the contact's mobile phone number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneOtherAllowed | This key specifies if the contact's other phone number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhonePagerAllowed | This key specifies if the contact's pager phone number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneWorkAllowed | This key specifies if the work phone number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PhoneWorkFaxAllowed | This key specifies if the contact's work fax number should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.PrefixAllowed | This key specifies if the contact's name prefix should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.ContactSync.SuffixAllowed | This key specifies if the contact's name suffix should be synchronized with native contacts. Accepted values: true, false Default if not specified: true Example: true |
Managed apps |
com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly | By default, an App Protection Policy allows for the widget to sync with the Outlook app but can be used to block widget sync availability with the Sync policy managed app data with native apps or add-ins setting. Configuring this setting to false blocks the widget synchronization when the App Protection Policy setting is set to Allowed. Accepted values: true, false Default if not specified: No value specified Example: Here's an example that allows calendar sync but disallows widget sync: Sync policy managed app data with native apps or add-ins == allow com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly = false Here's another example to block widget sync, calendar sync, and add-ins: Sync policy managed app data with native apps or add-ins == block And another example that blocks calendar sync but allows widget sync: Sync policy managed app data with native apps or add-ins == allow com.microsoft.outlook.WidgetsAvailable.IntuneMAMOnly = true com.microsoft.outlook.Calendar.NativeSyncAvailable.IntuneMAMOnly = false |
Managed apps |
Louder Mandatory labeling | Off Organizations have mandatory labeling enabled without default labeling, and would like to have the label selection first before going to compose the email. Then when the users click Send, the email could just be sent without any forgotten labeling pop ups. Outlook mobile will introduce a new MDM setting (com.microsoft.outlook.Mail.LouderMandatoryLabelEnabled) to allow admins to enable this louder mandatory configuration for Outlook mobile clients (iOS and Android) specifically. |
App default |
com.microsoft.outlook.Mail.Notifications.IntuneMAMOnly | (1) If Intune App Protection Policy (APP) NotificationRestrictions = BlockOrgData, only then check for com.microsoft.outlook.Mail.Notifications.IntuneMAMOnly: If app config value is null (doesn't exist): All sensitive data properties are removed. If app config value is 0: Only subject and sender are exposed. If app config value is 1: Only sender is exposed. (2) Else, if APP NotificationRestrictions = Allow or NotificationRestrictions = Block, then: All sensitive data properties are exposed in mail notifications. |
Managed devices, managed apps |
com.microsoft.outlook.Mail.VideoMessages.VideoCaptureAndUploadEnabled | If app config value = null (doesn't exist): Video capture is enabled. If app config value = true: Video capture is enabled. If app config value = false: Video capture is disabled. You can still capture photos. Video capture will enable the user to capture a video within Microsoft Outlook Mobile and upload the captured video to an email via OneDrive for Business. |
Managed devices, Managed apps |