Forum Discussion
Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern
So what is the current state for Office 365 users? We don't use MDM at this point and I'm just starting to dig into it, and have only a couple we need to set up MFA for at the moment (eventually we will migrate over everyone, but it’s going to be a very training-intensive organization). I can't force them to use Outlook, so I want to have Mail working. And how often is MFA re-authentication requested (can it be configured to daily)?
Alex Melching I opened a support case with Office 365, and their eventual response on 6/12/19 was:
"After working on the issue and doing more research just came up with, this is a normal behavior. After cooperation between our engineers and apple engineers the provided option(OAuth) was only for Intune enrolled devices and is not available for MDM enrolled devices yet."
They also pointed me to the UserVoice at https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31740142-modern-authentication-for-native-mail#{toggle_previous_statuses}, but that was already in "Completed" status at that point (referring to Intune only and not Office 365 MDM) and no one is looking at it anymore.
I also tried submitting a request on the Github for Exchange Online Documentation (which I got pointed to by some document or another), but the moderators there only suggested opening a ticket with Office 365 support, which as I mentioned previously did not go anywhere.
It seems like everyone wants to just point a finger at someone else, and no one wants to take responsibility for fixing this major oversight. It is currently impossible to use Office 365 MDM for MFA users, and MFA support is absolutely a requirement for a working product in 2019.
Well, now that I started this thread I get to add to it again. For a while there things were working and I have no explanation why. Maybe Microsoft updated something or Apple did, but it appears to be back with our customers using the native iOS Mail app. Now that Microsoft is updating O365 tenants with modern authentication, iOS users have started to lose access to their mailboxes and a continuous prompt for the password with a very weird process. I thought I would retest and have run into the same thing users are reporting. When modern authentication is enabled through the O365 tenant the user has to continuously sign in and while trying to sign in the dang pop up of edit settings keeps appearing which confuses users and they click edit again and it starts over, you just have to clear that message an finish entering the password. When MFA is enabled in additional with MA, same continuously process added with the two-step. It's pretty absurd. I am to replicate this on an 7+ and Xs Max. Both with the latest iOS (12.4). I try to get them to switch to the MS Outlook app, but some are just sticklers...
I also noticed that if you enabled a Conditional Access policy that blocks Exchange ActiveSync, it will also stop native Mail app from working.
Microsoft feel free to chime in here and tell us what the heck is going on!
ChrisWebbTech SPOM1 What still doesn't work is deploying iOS mail profiles using Office 365 MDM and the Intune Company Portal app, for MFA users. The Office 365 MDM profiles don't support OAuth/Modern Authentication. I opened a support case on this because I consider it to be a bug for a Microsoft product to not support MFA in 2019, but support told me it wasn't supported yet and we'll have to wait for them to prioritize this. Completely ridiculous that this hasn't been fixed yet, if you ask me.
