Forum Discussion
Conditional Access - Require multi-factor authentication
I have setup Conditional Access for MFA, i'm sure I read somewhere native mobile apps on Android/iOS are not supported unless App password option is enabled? We don't have the app password option enabled for legacy apps, however i'm still able to configure native email apps on devices and access email? Is this a supported feature?
Thanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.
To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.
10 Replies
Anyone?
the conditional access is setup in AzureAD, I have enabled MFA and require approved client app, I expected native mail apps in iOS/Android to stop working. I've read an article that Intune this can be achieved using Intune App Protection but we don't want to use Intune. Is this possible or is Intune a requirement to work with the AzureAD Conditional Access?
- Do you exclude any Subnets/ip's from your MFA ?
Also what rules have you configured for your Conditional Access, are you targeting Apps or device platformsWe exclude internal IPs.
CA Policy
Users: All users
Cloud Apps: O365 Exchange online
Conditions:
device platforms: All platforms
Client apps: Mobile apps and desktop clients
Access Control:
Require MFA
Require Approved client app
Require all the selected controls (Grant Access to both)
