Forum Discussion
Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern
" MFA (OAuth), plus OAuth can now be configured via a MDM profile in iOS 12 "
How?
We've got O365 MFA working fine. We are turning on basic MDM for a group of users.
Problem is that the activesync account created by the policy on iOS devices requires an App password for the native mail app.
Jason Simotas I believe I am having exactly the same problem. It sounds like full Intune administrators can enable OAuth in their profile, but I can't find a way to do this with Office 365 MDM. Have you found any way to deploy a mail profile using Office 365 MDM that works with MFA/Modern Auth?
snorma01 I have run into this issue as well. Most all iPhone users have the MFA loop and i cannot seem to figure out hot to stop it. Because some users refuse to use the Outlook app
vortiz Yes my only current workaround for MFA users is to have them use the Outlook app. But I also have my users register their devices using Office 365 MDM (Intune Company Portal app). This automatically adds the account to the default iOS mail app, but it doesn't work for MFA users because it is not configured with OAuth/modern authentication, and this causes all kinds of problems for the users. I believe the full version of Intune MDM has an option to enable OAuth now, but it hasn't been addressed in Office 365 MDM for whatever reason. If this could be fixed it would be easy for users to set up their email in the default mail app when they register their devices. With MFA being recommended for all users these days, it's ridiculous that Office 365 MDM doesn't support it!
So what is the current state for Office 365 users? We don't use MDM at this point and I'm just starting to dig into it, and have only a couple we need to set up MFA for at the moment (eventually we will migrate over everyone, but it’s going to be a very training-intensive organization). I can't force them to use Outlook, so I want to have Mail working. And how often is MFA re-authentication requested (can it be configured to daily)?
