Forum Discussion

Kamran Ahmed's avatar
Kamran Ahmed
Brass Contributor
Nov 16, 2017
Solved

Conditional Access - Require multi-factor authentication

I have setup Conditional Access for MFA, i'm sure I read somewhere native mobile apps on Android/iOS are not supported unless App password option is enabled? We don't have the app password option ena...
Multifactor Authentication
  • Kamran Ahmed's avatar
    Kamran Ahmed
    Nov 21, 2017

    Thanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.

     

    To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.

Kent Gaardmand's avatar
Kent Gaardmand
Iron Contributor
Nov 21, 2017
Hi Kamran

I have tried many different configurations for the conditional access, and regardless what i configure i can still use my Android email client, and Outlook does not prompt for MFA. When i had your rule configured, i was prompted when trying to use portal.office.com.
You can create a policy specifically for Exchange Active Sync, but this does not support forcing MFA.
If you however enforce MFA on your users, using the MFA portal and disable App password, then the users will not be able to use the default apps.

i will try and spend some more time on this today.
Kamran Ahmed's avatar
Kamran Ahmed
Brass Contributor
Nov 21, 2017

Thanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.

 

To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.

  • Kamran Ahmed's avatar
    Kamran Ahmed
    Brass Contributor
    Nov 22, 2017

    Hi Kent - The proposed solution is undergoing testing, i'm confident that this will work for us since we don't use any other mail clients.

     

    Once again thanks for your assistance on this.

     

    Kamran

  • Kent Gaardmand's avatar
    Kent Gaardmand
    Iron Contributor
    Nov 22, 2017
    Hi Kamran

    So no changes on my end and im throwing in the towel. Glad the block rule works for you and if you then enforce MFA via the mfa management you are close to achieving your desired goal.

    best of luck going forward.

Resources