Forum Discussion
Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern
Office 365 MFA and the Apple Mail app for iOS concern? We ourselves and several customers using Office 365 have noticed a recent issue with the Apple Mail app for iOS when Office 365 MFA is enabled. When users are out of a known or trusted location and required to MFA to sign in or access Office 365 resources the Apple Mail app for iOS is asking for the user's password. This should NOT happen if MFA is enabled and an App Password has been created to be used for the Mail app. The Mail app then prompts the user to enter their Office 365 password which confuses the end user because they try to re-enter the generated App Password which it then fails to sign in because it actual requires the user's standard password. Has there been recent changes to that platform and the Apple Mail app for iOS? I'm thinking that Apple finally updated the Mail app to support modern authentication, if so why hasn't documentation for it been updated? I can see that Apple introduced the capability in 11.0 but we could not get it to work out of the gate and found it to be NOT 100% reliable. So if they finally got this to work in the latest release of iOS what is the recommendation? Have all the current users update their passwords in the app from the App Password to their standard password or can we continue to use the App Password? We have noticed the increase in support requests from customers about this issue in the past 2 weeks or less.
34 Replies
- Does anyone have any new advice for using Office 365 MDM to deploy iOS management profiles, now that Basic Authentication is turned off? It is still deploying EAS mail for me, how can I get it to deploy mail using Modern Auth?
I also have a client where I enabled Microsoft MFA. In reading through this thread and several others, Apple's included. I have found that the easiest fix was to allow Exchange ActiveSync clients in the Client apps section within the Conditional Access policy. Once I enabled Exchange ActiveSync clients, my users that used the default Apple Mail app were once again able to access their email.
Hopefully, this will work for others and save them a little bit of time.
JQ_IT_Admin Please somebody correct me if I'm wrong, but wouldn't allowing ActiveSync open up a security hole (since it's a basic authentication method)?
I have a couple of iOS users who are having the same issue since enabling MFA and disabling basic authentication methods. Some but not all. I have also been recommending the Outlook app & appreciate vortiz posting the link about syncing contacts through the app.
I may take this up with MS support to see if I can get any further. Will update the thread if I do!
- The Apple Mail app supports Modern Auth since iOS 11. But when configuring the accout, be sure to use 'Sign-in' and not 'setup manually'. Setup manually will cause basic auth
I just enabled MFA and I have the same recurring iOS password request. I loaded the Outlook app but I later found the work around for this issue. Like most people, I didn't write down the App Password. Here's how you generate another one. When you enter it in the password field instead of your mail password, the popup goes away and the mail loads. I saved it this time so that I'll have it in the future.
https://www.hendrix.edu/HelpDesk/Computers_and_Devices/Mobile_Devices/Set-Up_Email_Access_with_MFA_(Apple_Mail)/
I'm revisiting my own post as I see this is still a problem. Onboarded new customer and users prefer the native Mail app. Still continuous prompts with MFA enforced or if the Security Defaults is enabled. The app password is not 100% reliable.
So anyone figure out a decent work around? Still seems like broken promises from Apple that they have resolved this issues with Microsoft 365...
- You have to go into Office 365 and turn on Modern Authentication. Microsoft says in their literature its enabled by default but it’s not.
Turn on Modern authentication for your organization
For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription a long time ago, it might not be. This has to be turned on before MFA works appropriately with Office apps.
In the Microsoft 365 admin center, in the left nav choose Settings > Org settings.
Under Services tab, choose Modern authentication, and in the Modern authentication pane, make sure Enable Modern authentication is selected. Choose Save changes.
I know some other users have mentioned this being an issue with Modern Authentication being turned on, but we recently enabled Modern Authentication globally in the Exchange Admin center, and literally all of our problems have vanished.
Users are able to authenticate with their "normal" AD password on newer smart phones, and are able to use their App Password on older smart phones. It's like a happy little ecosystem where everything "just works" lolJPSAndyJ I'm the IT manager for our company. We have BYOD device policy for most of the iPhone users and only certain employees on InTune. We have had numerous issues which are still ongoing. Due to repeated breakin attempts I had to enact a stricter authentication policy which blocked basic authentication. Users began reporting issues, and even before one user who had limited admin rights had issues with his device and MFA. I have a work around for the recent issues where the iPhone asks for a password using basic auth. Open another iPhone application which forces the use of modern authentication, either Teams or Outlook for iOS. This will then authenticate and the password prompt from the native mail app will go away. For the MFA user I had to remove their profile and add it back. Then use this same method to force modern authentication. Try that.
Jim_Hill that's a very good point and I'm glad you brought it up.
Modern Auth with O365 works around the premise of "authentication tokens" and I believe once a user's phone has said token, they can authenticate with virtually any aspect of the O365 platform.
So yes, authenticating with any app that requires Modern Authentication should authenticate with every O365 service on that device.
Also, as other users have pointed out, iOS 12 works without any of the hoops perfectly well if you have MDM installed.
We're in a BYOD environment, so we've chosen not to use MDM since we don't own the devices.
Our organization just rolled out MFA to all associates, and we've found the iPhone process to be ardurously difficult but have learned a few things:
Initially, iOS will ask you to re-enter your password and do a 2 factor authentication. Usually we find (at first) the user must put in their AD password as normal and (in our case) authenticate with the Microsoft Authentication App.
Now, their account will typically stay authenticated for anywhere from 1 to 24 hours from that moment.
At some point, it starts asking for their password again but won't take their "normal" AD password. Put in an Application Password. iOS will still show that it's still not authenticated even if it "accepts" the Application Password, and we've found a reboot "finalizes" the process.
After the reboot, the iPhone is happy and the user can carry on with their stuff.
I'm not 100% sure why this works, but it seems to be what does work so I figured I'd re-post.
I suggest testing iOS 12 (beta 6 is out now). I presume Apple has done more engineering on MFA (OAuth), plus OAuth can now be configured via a MDM profile in iOS 12 (for those who need to manage and mass-deploy Exchange/ActiveSync settings to hundreds - or thousands - of iOS devices). Currently Mail.app's OAuth/MFA settings must be configured manually in iOS 11.
iOS 12 will likely be released in September 2018.
" MFA (OAuth), plus OAuth can now be configured via a MDM profile in iOS 12 "
How?
We've got O365 MFA working fine. We are turning on basic MDM for a group of users.
Problem is that the activesync account created by the policy on iOS devices requires an App password for the native mail app.
Jason Simotas I believe I am having exactly the same problem. It sounds like full Intune administrators can enable OAuth in their profile, but I can't find a way to do this with Office 365 MDM. Have you found any way to deploy a mail profile using Office 365 MDM that works with MFA/Modern Auth?
Thanks Chris for the response. Our experience has not been 100% with it as we change users over to using their standard O365 passwords. I myself am experiencing this issue and just sent in a bunch of screenshots and logs to Microsoft and Apple to at least inform them...
