-->
Outlook for iOS and Android provides users the fast, intuitive email and calendar experience that users expect from a modern mobile app, while being the only app to provide support for the best features of Microsoft 365 or Office 365.
Protecting company or organizational data on users' mobile devices is extremely important. Begin by reviewing Setting up Outlook for iOS and Android, to ensure your users have all the required apps installed. After that, choose one of the following options to secure your devices and your organization's data:
Download this app from Microsoft Store for Windows 10 Mobile, Windows Phone 8.1, Windows Phone 8. See screenshots, read the latest customer reviews, and compare ratings for Sync for Outlook. Before you begin: You're on the right page if you're troubleshooting sync issues while setting up your mobile email for the first time. If your email, calendar, and contacts were syncing before and now they don't, see Fix Outlook.com email sync issues.If you don't use an Outlook.com or Microsoft 365 for business account, contact your email provider.
Recommended: If your organization has an Enterprise Mobility + Security subscription, or has separately obtained licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android to protect corporate data with Outlook for iOS and Android.
If your organization doesn't have an Enterprise Mobility + Security subscription or licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Mobile Device Management, and use the Mobile Device Management (MDM) for Microsoft 365 or Office 365 capabilities that are included in your Office 365 or Microsoft 365 subscription.
Follow the steps in Leveraging Exchange Online mobile device policies to implement basic Exchange mobile device mailbox and device access policies.
If, on the other hand, you don't want to use Outlook for iOS and Android in your organization, see Blocking Outlook for iOS and Android.
Note
See Exchange Web Services (EWS) application policies later in this article if you'd rather implement an EWS application policy to manage mobile device access in your organization.
Setting up Outlook for iOS and Android
For devices enrolled in a mobile device management (MDM) solution, users will utilize the MDM solution, like the Intune Company Portal, to install the required apps: Outlook for iOS and Android and Microsoft Authenticator.
For devices that are not enrolled in an MDM solution, users need to install:
Outlook for iOS and Android via the Apple App Store or Google Play Store
Microsoft Authenticator app via the Apple App Store or Google Play Store
Intune Company Portal app via Apple App Store or Google Play Store
Once the app is installed, users can follow these steps to add their corporate email account and configure basic app settings:
Important
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see App-based Conditional Access with Intune.
Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android
Important
The Allow/Block/Quarantine (ABQ) list provides no security guarantees (if a client spoofs the DeviceType header, it might be possible to bypass blocking for a particular device type). To securely restrict access to specific device types, we recommend that you configure conditional access policies. For more information, see App-based conditional access with Intune.
The richest and broadest protection capabilities for Microsoft 365 and Office 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the corporate data is protected.
Note
While the Enterprise Mobility + Security suite subscription includes both Microsoft Intune and Azure Active Directory Premium, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All users must be licensed in order to leverage the conditional access and Intune app protection policies that are discussed in this article.
Block all email apps except Outlook for iOS and Android using conditional access
When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android as the only email app for end users, they can configure a conditional access policy that blocks other mobile access methods. To do this, you will need several conditional access policies, with each policy targeting all potential users. Details on creating these policies can be found in Require app protection policy for cloud app access with Conditional Access.
Follow 'Step 1: Configure an Azure AD Conditional Access policy for Microsoft 365 or Office 365' in Scenario 1: Microsoft 365 or Office 365 apps require approved apps with app protection policies, which allows Outlook for iOS and Android, but blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online.
Note
This policy ensures mobile users can access all Office endpoints using the applicable apps.
Follow 'Step 2: Configure an Azure AD Conditional Access policy for Exchange Online with ActiveSync (EAS)' in Scenario 1: Microsoft 365 or Office 365 apps require approved apps with app protection policies, which prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online.
The above policies leverage the grant control Require app protection policy, which ensures that an Intune App Protection Policy is applied to the associated account within Outlook for iOS and Android prior to granting access. If the user isn't assigned to an Intune App Protection Policy, isn't licensed for Intune, or the app isn't included in the Intune App Protection Policy, then the policy prevents the user from obtaining an access token and gaining access to messaging data.
Finally, follow How to: Block legacy authentication to Azure AD with Conditional Access to block legacy authentication for other Exchange protocols on iOS and Android devices; this policy should target only Office 365 Exchange Online cloud app and iOS and Android device platforms. This ensures mobile apps using Exchange Web Services, IMAP4, or POP3 protocols with basic authentication cannot connect to Exchange Online.
Note
After the conditional access policies are enabled, it may take up to 6 hours for any previously connected mobile device to become blocked.
When the user authenticates in Outlook for iOS and Android, if there are any Azure Active Directory conditional access policies applied, then mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped.
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see App-based Conditional Access with Intune.
Protect corporate data in Outlook for iOS and Android using Intune app protection policies
App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
- Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. For Android devices, this level validates Android device attestation. This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
- Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
- Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.
Regardless of whether the device is enrolled in an MDM solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a minimum, must meet the following conditions:
They include all Microsoft mobile applications, such as Edge, OneDrive, Office, or Teams, as this will ensure that users can access and manipulate work or school data within any Microsoft app in a secure fashion.
They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook for iOS or Android.
Determine which framework level meets your requirements. Most organizations should implement the settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.
For more information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.
Important
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.
Leveraging Mobile Device Management
If you don't plan to leverage the Enterprise Mobility + Security suite, you can use Mobile Device Management (MDM). This solution requires that mobile devices be enrolled. When a user attempts to access Exchange Online with a device that is not enrolled, the user is blocked from accessing the resource until they enroll the device.
Because this is a device management solution, there is no native capability to control which apps can be used even after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium licenses and leverage the conditional access policies discussed in Block all email apps except Outlook for iOS and Android using conditional access.
A global admin must complete the following steps to activate and set up MDM. See Set up Mobile Device Management (MDM) in Microsoft 365 for complete steps. In summary, these steps include:
Activating MDM by following steps in the Microsoft 365 Security Center.
Setting up MDM by, for example, creating an APNs certificate to manage iOS devices.
Creating device policies and apply them to groups of users. When you do this, your users will get an enrollment message on their device. And when they've completed enrollment, their devices will be restricted by the policies you've set up for them.
Note
Policies and access rules created in MDM will override both Exchange mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM, any Exchange mobile device mailbox policy or device access rule that is applied to that device will be ignored.
Leveraging Exchange Online mobile device policies
If you don't plan on leveraging either the Enterprise Mobility + Security suite or the MDM functionality, you can implement Exchange mobile device mailbox policy to secure the device, and device access rules to limit device connectivity.
Mobile device mailbox policy
Outlook for iOS and Android supports the following mobile device mailbox policy settings in Exchange Online:
Device encryption enabled
Min password length
Password enabled
For information on how to create or modify an existing mobile device mailbox policy, see Mobile device mailbox policies in Exchange Online.
In addition, Outlook for iOS and Android supports Exchange Online's device-wipe capability. With Outlook, a remote wipe only wipes data within the Outlook app itself and does not trigger a full device wipe. For more information on how to perform a remote wipe, see Perform a remote wipe on a mobile phone.
Device access policy
Outlook for iOS and Android should be enabled by default, but in some existing Exchange Online environments the app may be blocked for a variety of reasons. Once an organization decides to standardize how users access Exchange data and use Outlook for iOS and Android as the only email app for end users, you can configure blocks for other email apps running on users' iOS and Android devices. You have two options for instituting these blocks within Exchange Online: the first option blocks all devices and only allows usage of Outlook for iOS and Android; the second option allows you to block individual devices from using the native Exchange ActiveSync apps.
Note
Because device IDs are not governed by any physical device ID, they can change without notice. When this happens, it can cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device access policies that allow/block devices based on device type or device model.
Option 1: Block all email apps except Outlook for iOS and Android
You can define a default block rule and then configure an allow rule for Outlook for iOS and Android, and for Windows devices, using the following Exchange Online PowerShell commands. This configuration will prevent any Exchange ActiveSync native app from connecting, and will only allow Outlook for iOS and Android.
Create the default block rule:
Create an allow rule for Outlook for iOS and Android
Optional: Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WindowsMail refers to the Mail app included in Windows 10):
Option 2: Block native Exchange ActiveSync apps on Android and iOS devices
Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types of devices.
Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and Android:
If any device access rules that block Outlook for iOS and Android are found, type the following to remove them:
You can block most Android and iOS devices with the following commands:
Not all Android device manufacturers specify 'Android' as the DeviceType. Manufacturers may specify a unique value with each release. In order to find other Android devices that are accessing your environment, execute the following command to generate a report of all devices that have an active Exchange ActiveSync partnership:
Create additional block rules, depending on your results from Step 3. For example, if you find your environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this example, you would type:
Note
The -QueryString parameter does not accept wildcards or partial matches.
Additional resources:
Blocking Outlook for iOS and Android
If you don't want users in your organization to access Exchange data with Outlook for iOS and Android, the approach you take depends on whether you are using Azure Active Directory conditional access policies or Exchange Online's device access policies.
Option 1: Block mobile device access using a conditional access policy
Sync Outlook App With Outlook 365
Azure Active Directory conditional access does not provide a mechanism whereby you can specifically block Outlook for iOS and Android while allowing other Exchange ActiveSync clients. With that said, conditional access policies can be used to block mobile device access in two ways:
Option A: Block mobile device access on both the iOS and Android platforms
Option B: Block mobile device access on a specific mobile device platform
Option A: Block mobile device access on both the iOS and Android platforms
If you want to prevent mobile device access for all users, or a subset of users, using conditional access, follow these steps.
Create conditional access policies, with each policy either targeting all users or a subset of users via a security group. Details are in Azure Active Directory app-based conditional access.
The first policy blocks Outlook for iOS and Android and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See 'Step 1 - Configure an Azure AD conditional access policy for Exchange Online,' but for the fifth step, choose Block access.
The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See 'Step 2 - Configure an Azure AD conditional access policy for Exchange Online with ActiveSync (EAS).'
Option B: Block mobile device access on a specific mobile device platform
If you want to prevent a specific mobile device platform from connecting to Exchange Online, while allowing Outlook for iOS and Android to connect using that platform, create the following conditional access policies, with each policy targeting all users. Details are in Azure Active Directory app-based conditional access.
How To Sync Outlook With Outlook App
The first policy allows Outlook for iOS and Android on the specific mobile device platform and blocks other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See 'Step 1 - Configure an Azure AD conditional access policy for Exchange Online,' but for step 4a, select only the desired mobile device platform (such as iOS) to which you want to allow access.
The second policy blocks the app on the specific mobile device platform and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See 'Step 1 - Configure an Azure AD conditional access policy for Exchange Online,' but for step 4a, select only the desired mobile device platform (such as Android) to which you want to block access, and for step 5, choose Block access.
The third policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See 'Step 2 - Configure an Azure AD conditional access policy for Exchange Online with ActiveSync (EAS).'
Option 2: Block Outlook for iOS and Android using Exchange mobile device access rules
If you are managing your mobile device access via Exchange Online's device access rules, you have two options:
Option A: Block Outlook for iOS and Android on both the iOS and Android platforms
Option B: Block Outlook for iOS and Android on a specific mobile device platform
Every Exchange organization has different policies regarding security and device management. If an organization decides that Outlook for iOS and Android doesn't meet their needs or is not the best solution for them, administrators have the ability to block the app. Once the app is blocked, mobile Exchange users in your organization can continue accessing their mailboxes by using the built-in mail applications on iOS and Android.
The New-ActiveSyncDeviceAccessRule
cmdlet has a Characteristic
parameter, and there are three Characteristic
options that administrators can use to block the Outlook for iOS and Android app. The options are UserAgent, DeviceModel, and DeviceType. In the two blocking options described in the following sections, you will use one or more of these characteristic values to restrict the access that Outlook for iOS and Android has to the mailboxes in your organization.
The values for each characteristic are displayed in the following table:
Characteristic | String for iOS | String for Android |
---|---|---|
DeviceModel | Outlook for iOS and Android | Outlook for iOS and Android |
DeviceType | Outlook | Outlook |
UserAgent | Outlook-iOS/2.0 | Outlook-Android/2.0 |
Option A: Block Outlook for iOS and Android on both the iOS and Android platforms
With the New-ActiveSyncDeviceAccessRule
cmdlet, you can define a device access rule, using either the DeviceModel
or DeviceType
characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an Exchange mailbox via the app.
The following are two examples of a device access rule. The first example uses the DeviceModel
characteristic; the second example uses the DeviceType
characteristic.
Option B: Block Outlook for iOS and Android on a specific mobile device platform
With the UserAgent
characteristic, you can define a device access rule that blocks Outlook for iOS and Android across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on the platform you specify. The following examples show how to use the device-specific value for the UserAgent
characteristic.
To block Android and allow iOS:
To block iOS and allow Android:
Exchange Online controls
Beyond Microsoft Intune, MDM for Office 365, and Exchange mobile device policies, you can manage the access that mobile devices have to information in your organization through various Exchange Online controls, as well as, whether to allow users access to add-ins within Outlook for iOS and Android.
Exchange Web Services (EWS) application policies
An EWS application policy can control whether or not applications are allowed to leverage the REST API. Note that when you configure an EWS application policy that only allows specific applications access to your messaging environment, you must add the user-agent string for Outlook for iOS and Android to the EWS allow list.
The following example shows how to add the user-agent strings to the EWS allow list:
Exchange User controls
With the native Microsoft sync technology, administrators can control usage of Outlook for iOS and Android at the mailbox level. By default, users are allowed to access mailbox data using Outlook for iOS and Android. The following example shows how to disable a user's mailbox access with Outlook for iOS and Android:
Managing add-ins
Outlook for iOS and Android lets users integrate popular apps and services with the email client. Add-ins for Outlook are available on the web, Windows, Mac, and mobile. Since add-ins are managed via Microsoft 365 or Office 365, users are able to share data and messages between Outlook for iOS and Android and the unmanaged add-in (even when the account is managed by an Intune App Protection policy), unless add-ins are turned off for the user within the Microsoft 365 admin center.
If you want to stop your end users from accessing and installing Outlook add-ins (which affects all Outlook clients), execute the following changes to roles in the Microsoft 365 admin center:
- To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
- To prevent users from side loading add-ins, remove the My Custom Apps role from them.
- To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from them.
For more information, please see Add-ins for Outlook and how to Manage deployment of add-ins in the Microsoft 365 admin center.
Since Google Calendar is such a popular online calendar, you might think that Microsoft Outlook for Windows would make syncing easy.
Unfortunately, there is no straightforward way to sync Google Calendar with Outlook. There are, however, some workarounds and third-party solutions.
Subscribe To a Google Calendar In Outlook
This method provides a read-only version of Google Calendar on your Outlook calendar.
You won’t be able to create, delete, or change events from Google Calendar in Outlook. Although not an ideal situation, you will still be able to view all your events and meetings in one place.
- Start by opening Google Calendar and hover over the calendar you want to add to Outlook.
- Click on the three dots next to the name of the calendar and select the option “Settings and sharing.”
- Look for Integrate calendar under settings and sharing. You will have to scroll down the page to find it.
- Look for Secret address in iCal format in the Integrate calendar section and copy the URL.
- Open Outlook and navigate to the calendar section. Click the dropdown arrow next to Add from the top navigation and select From Internet.
- Paste the Secret address in iCal format URL that you copied above in the space provided (see screenshot below) and click OK.
- If you have multiple Google Calendars, repeat the above process. You will now be able to see all your events and meetings on your Outlook Calendar.
But remember, it is for viewing only. You won’t be able to edit Google events in Outlook.
Use G-Suite To Sync Google Calendar With Outlook
If you are paying for and using G-Suite, there is another way to sync your calendars. The G-Suite Sync for Microsoft Outlook is designed to make Outlook Google Calendar sync easy. Even better, it will also sync your contacts and emails too.
- Close Outlook and download the G-Suite Sync tool. After you download the tool, enter the email address of the Google Account you want to sync and click Continue.
- When prompted, give your permission to access your data.
- Customize the settings the tool offers. Be sure to enable Import data from an existing profile, so the information you have in your Outlook account is imported to Google Calendars.
- Click Create Profile to sync your calendars. You will now be able to add a new event in Outlook, and it will be added to your Google Calendar and vice versa.
Use Companion Link Tool
Start by going to companionlink.com, click on Downloads, and select 14-day free trial from the top of the home page. You don’t have to provide any payment information for the trial.
- Scroll down to CompanionLink for Google and click on Download Trial.
- Enter your information on the form and click the green button to download the software.
- Run the installer, follow the on-screen instructions, and click Install.
The installer places a desktop icon on your computer.
- Double-click on the icon to open the application and then click on Settings.
- Grant Google the permission to let CompanionLink read its data by clicking Allow and then OK. The pop-up will ask you if you want to synchronize. Click Yes.
- When the sync process completes, check your Google calendar. You will see that your data has been synchronized.
CompanionLink will run in the background and continue to monitor Outlook and Google for changes. For example, if you edit an appointment in Outlook and move it to another day, the same change will show up on your Google calendar.
How to Sync Google Calendar With Outlook on Your Android Device
Microsoft Outlook for Android lets users connect all their email accounts and calendars from one mailbox.
It works with Office 365, Gmail, Yahoo Mail, and Microsoft Exchange. Go to the Google Play Store, download and install the free Microsoft Outlook app.
After you install the app on your device, a pop-up message asks if you want to link to another account. Choose Gmail, and your calendars will sync.
Sync Outlook.com to Google Calendar on iPhone & iPad
The iPad and iPhone calendar app can display a combined Outlook and Google Calendar. From your device, go to Settings > Mail > Contacts > Calendars and then tap on Add Account.
Add your Outlook.com account and Google calendar and then accept the offer to sync.
SyncGene
SyncGene is a third-party service to sync contacts, tasks, and calendars across iPhone, Outlook, Android, and Gmail.
There are three versions available. The free version offers:
- Syncing for up to two data sources
- One manual sync every 30 days
- Sharing of one calendar
However, the free version doesn’t offer auto-sync. The next level is very reasonably priced at $9.95 per month and includes:
- Syncing for up to five data sources
- Unlimited manual syncs
- Auto-sync enabled
- Sharing an unlimited number of calendars
- Creating public sharing links
Sync Outlook With Outlook App
OggSync
OggSync supports the latest technology from Microsoft and Google. It costs $29.95 per year.
In addition to syncing Outlook with Google Calendar, it will fix sync problems when Google makes changes.
Sync2
Sync 2 will not only sync Google Calendar with Outlook, but it will also sync on a schedule or when it detects a change.
Sync Outlook For Mac 15.30 With Outlook Android Apps
Outlook4GMail
Outlook4Gmail is another tool to sync your Google Calendars and contacts with Outlook. The free version allows contact syncing and supports basic filter settings.
However, it doesn’t provide additional support from the development team.
For a seamless syncing process, free updates, and support, you can purchase one commercial license for $28.98.
Think about why you want to sync your Google Calendar with Outlook to determine which option is best suited for your needs.