This article describes security notices that appear when you are connecting legacy email clients to Microsoft 365, the reasons these are necessary, and alternatives that are available for those who are uncomfortable granting the required permissions.
Target Audience: Employees, Managers
Technical Skills: None required
Reading Time: A few minutes
Some security notices may cause alarm due to ability to wipe personal devices.
While the notice may seem scary, there's actually no cause for alarm.
You should use the Outlook app for mobile instead.
Older mail apps that don't support sandboxes and MFA may require device wipe permissions.
Your company should have a written policy explaining how access to your personal device will be used.
Liquid Mercury Solutions has policies in place to safeguard your personal devices and data. Use of Device Wipe for our customers is only done in a responsible fashion.
Mobile OS (e.g. Android or Apple)
Android Mail mobile app, Gmail mobile app, Apple iMail mobile app
When attempting to connect your Android personal mobile device to work e-mail. You may be presented with security notification(s), although other users in the organization may not be prompted.
Below are two examples that you may see on your mobile device.
For example, the Mail app will show you this notification:
The server outlook.office365.com requires that you allow it to remotely control some security features of your Android device. Do you want to finish setting up this account?
If you have a Microsoft 365 work or school account, you may also be asked to confirm Remote security administration and approve additional security measures. In this case, choose OK or Activate.
Or, for the Gmail app. You will see:
The server "companydomain.com" requires that you allow it to remotely control some security features of your Android device.
Activating this administrator will allow the app Gmail to perform the following operations:
Erase all data
Erase the phone's data without warning by performing a factory data reset.
Set password rules
Steps to Reproduce
Connecting to Office 365 e-mail using one of the legacy email applications that leverage ActiveSync to connect to Exchange Online. These include the Android native Mail app and/or Google's Gmail app. If you use an iPhone, may see similar notices when connecting the native iMail client.
Cause and Technical Details
ActiveSync, which is the communication standard used by older mail apps to access Exchange Online, is an older technology with a much more limited (and therefore broadly applied) security infrastructure. ActiveSync does not have the same capabilities that newer solutions such as the Outlook App for Android have, and therefore you must generally accept the legacy management controls intended to protect company email and data.
Additionally, these tools don't support multi-factor authentication. As a result, some organizations may prohibit the use of legacy clients such as Mail, Gmail, and iMail due to security risk.
A better option is to switch to the modern Outlook app for mobile.
Why use the Outlook App for email?
Supports multi-factor authentication.
Protects company email and data with less invasive security controls.
Unlikely to be blocked by company, even if security policies are tightened.
Provides an experience much more similar to Outlook on the PC.
Includes full support for Calendar and Contacts.
Provides other useful features like Focused Inbox.
Solutions / Workarounds
To resolve this situation, you have a few possible options:
Accept the conditions on the application and install. Continue to use the native Mail application and/or Gmail with ActiveSync, and accept the security policies are they are described.
Use the Outlook App for Android instead. Accept the security policies enforced by the company, which should be more limited in reach than for legacy apps.
If there are justifiable reasons for concern, you may wish to review company policies and protections with your organization's management. You may be able to request a company device and/or decline to access e-mail on personal devices.
The terms shown in these consent screens can be concerning, especially if you don't understand how the permissions granted now may be used in the future. However, there's no need for alarm. If you are hesitant to grant the required permissions, contact your manager and/or system administrator as soon as possible. Delay may prevent you from receiving important work related correspondence.
How Liquid Mercury Solutions Can Help
Our service plan customers are entitled to consultation and other valuable services that your company can rely on, including guidance in establishing employee policies that take privacy and personal (BYOD) devices into account.
If you're not yet a client of Liquid Mercury Solutions and would like to learn more about service we offer that may help your organization, please reach out and let us know. If you're company is a Liquid Mercury client, your or your manager may wish to participate in an upcoming Office 365 Hours meeting, where we can answer any questions you may have.
Liquid Mercury Solutions has policies in place to ensure the privacy and safety of personal data. Please review the following for our privacy and security policies:
Bill of Rights for Clients and Their Employees
This document sets out our policies regarding governance of privileged access to client's personal and business information. It's content was updated in 2020 to reflect questions raised by remote workers due to COVID-19.
Please refer to Pages 42 to 44 of Liquid Mercury Solutions Service Level Agreement for Cloud Solution Provider and Subscription Service Plans.
Liquid Mercury Solutions Staff Internal Resources
The following resources are available to assist Liquid Mercury Solutions support staff with users who are experiencing the issue described in this article.
PLEASE NOTE: An LMS Internal Login is Required.