Forum Discussion
Two factor authentication and Android mail client
Good evening all.
We are having a weird issue where, when we turn on two factor authentication from our Office365 tenant, via the azure AD portal, the base android email application will no longer connect our tenant. Only until we turn off 2FA will the android devices synchronize.
The android devices are samsungs. The oldest is a samsung s7 with the latest patches and OS.
The logs are not showing any errors, so we are a bit stumped as to why this is occurring.
If anyone has any ideas on how to resolve, please let us know, before we push this out to our whole organization!
Many thanks,
JR
10 Replies
The solution is to establish an APP-password in your profile/account and use this instead of your standard password.
I have put in a lot more testing into this and there is unfortunately no fix for Android devices using native email that are managed by a corporate MDM platform - Airwatch & InTune in my case.
As you say the APP Password does work but I am trying to avoid this as we don't want to manage them and they do not change without a manual process so not very secure.
The ideal is that MDM's can force OAuth requests to Android but this does not seem to be supported at the Android layer, Apple do have it though with iOS and it works.
The only other options I have worked out are -
1 - Register the device via active sync for email but it's not then managed
2 - Use the Outlook client for android - creates a massive change control issue as 99% use native email client.
Thanks for your reply though 😉
As a follow up, we ended up just recommending that people download and use the Outlook client application. The app password idea mystified users in our organization and was really hard for them to use. We pitched the idea as creating a seperate mail app segregating your work life (Outlook app) and your home life (Default mail app). We've had many people within the org thank us for this concept.
The built-in mail app on Android does NOT support MFA. Use the Outlook app instead. Or if you insist on using the mail app, you will have to create an app password (really not recommended).
That confirms my own suspicions, thank you! In terms of the default mail app on Iphones, should we expect to see the same scenario?
The iOS one actually supports MFA, since two versions now.
