Forum Discussion
Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern
JQ_IT_Admin Please somebody correct me if I'm wrong, but wouldn't allowing ActiveSync open up a security hole (since it's a basic authentication method)?
I have a couple of iOS users who are having the same issue since enabling MFA and disabling basic authentication methods. Some but not all. I have also been recommending the Outlook app & appreciate vortiz posting the link about syncing contacts through the app.
I may take this up with MS support to see if I can get any further. Will update the thread if I do!
I can confirm what Thijs Lecomte said. We enabled MFA across the company on 9/1/2021. Many but not all iPhone users had this problem where the built-in mail app kept asking for the password. We found the solution was this:
1. Delete the exchange account from mail settings.
2. Add the mail account back again.
3. Choose "Microsoft Exchange" NOT Outlook.com (Important)
4. Enter email address. The default description of "Exchange" is fine.
5. When prompted for "Configure Manually" or "Sign In" choose "Sign In". This is the critical thing. the “Sign In” option supports MFA authentication, “Configure Manually” does not.
6. Enter your password and do the MFA approval.
7. After verification, you’re good to go.
Our conditional access policy still has this:- Anyone know if there is a fix for this yet using MDM? Currently I have to allow Exchange Active Sync in order for the native email apps to work on user phones since Company Portal pushes the mail profile to connect with basic auth. I was under the impression that basic is going away... Anyway, yes, using outlook fixes the issue for mail, but the mail profile from the mdm will still ask for the password constantly and users don't like that.
I worked round the MDM issue on an iPad as follows:
1. Temporarily excluded the user account from enforced MDM using Classic Policies at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/ClassicPolicies
2. Removed the management profile from the iPad - which removed the non-working Mail account
3. Added the email account to Apple's mail client manually, including MFA.4: Used Company Portal to download a new profile and installed it. Because the email account was already there, the profile did not add a non-working one.
5. Restored the MDM configuration in Azure AD
6. Removed the email account, and then put it back.
Step 6 is needed because the Mail account was created before the profile was installed, so the login was from a context which is no longer valid on the server. It will fail after some hours and you must reinstall it to get a valid login. Do not leave it without any account for any substantial time. If you do, the downloaded profile will cause the system to create a non-removable mail account that cannot use modern authentication, and you are back to Step 1.
You can recognise an account that came from the downloaded profile - the option to remove it it missing from its properties.
I also tried downloading the profile from an account that has full Intune on the license instead of the O365 MDM, and in this case it did not try to create the Mail account at all. Hence, with that option you never hit a problem because you manually add the Mail account after downloading the profile.
