Home

Does Azure MFA / Conditional Access work on native Android / iPhone clients?

%3CLINGO-SUB%20id%3D%22lingo-sub-152831%22%20slang%3D%22en-US%22%3EDoes%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152831%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20starting%20to%20pilot%20MFA%20and%20Conditional%20Access.%26nbsp%3B%20Seems%20to%20work%20great%20on%20most%20actual%20apps%20(e.g.%20Outlook%2C%20Yammer%2C%20OneDrive%2C%20Groups%2C%20etc)%20and%20resources%20accessed%20via%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20we%20are%20noticing%20that%20no%20MFA%20protection%20actually%20gets%20applied%20for%20the%20native%20Android%2C%20iPhone%2C%20and%20Gmail%20apps.%26nbsp%3B%20Is%20that%20accurate%3F%20or%20is%20there%20maybe%20a%20setting%20we%20are%20missing%20somewhere%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-152831%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152996%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152996%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20latest%20version%20of%20the%20iPhone%20mail%20client%20should%20support%20ADAL%2FMFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152863%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152863%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20it%20is%20either%20Conditional%20Policy%20or%20enforce%20MFA.%26nbsp%3BIf%20your%20criteria%20is%20location%20based%20rule%20and%20is%20to%20bypass%20MFA%20for%20trusted%20IPs%20and%20internal%20IPs(ADFS%20Claim)%2C%20you%20can%20still%20specify%20those%20IPs%20in%20the%20service%20settings%20section%20in%20Azure%20AD%20MFA%20console.%20This%20will%20apply%20MFA%20policy%20to%20all%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20noticed%2C%20there%20is%20a%20setting%20in%20the%20%22Access%20Controls%22%20section%20in%20Conditional%20Access%20Policy%20(v2)%2C%20there%20is%20an%20option%20to%20specify%20%22Require%20Approved%20client%20app%22.%20This%20does%20not%20include%20%22Browser%22%20as%20a%20client%20at%20the%20moment.%20I%20would%26nbsp%3Breally%20like%20to%20see%20this%20feature%20extended%20to%20Approved%20clients%20and%20Approved%20browser%2C%20which%20will%20allow%20us%20configure%20Conditional%20Access%20Policies%20to%20all%2Ftargeted%20cloud%20apps%20using%20CAP%20v2%20conditions%2Frules.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152852%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152852%22%20slang%3D%22en-US%22%3EThank%20you%20for%20the%20quick%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20I%20enforce%20MFA%20(via%20AAD%20MFA%20setting)%2C%20can%20I%20then%20use%20Conditional%20Access%20to%20bypass%20it%20based%20on%20my%20criteria%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20do%20I%20pretty%20much%20have%20to%20make%20the%20choice%20to%20go%20all%20on%2C%20or%20use%20Conditional%20Access%20and%20accept%20what%20is%20not%20covered%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152848%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152848%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brent%20-%20If%20you%20apply%20MFA%20via%20Azure%26nbsp%3BConditional%20Access%20Policy%20%2C%20it%20will%20apply%20multifactor%20authentication%20on%20modern%20app%26nbsp%3Bsupported%20clients.%20Native%20mail%20clients%20might%20bypass%20MFA.%20But%20if%20you%20enforce%20MFA%20(via%20AzureAD%20MFA%20setting)%20it%20will%20enforce%20Multi%20factor%20authentication%20for%20all%20requests%2C%20so%20native%20apps%20e.g%20iOS%20client%20will%20require%20apppassword%20to%20access%20services.%20Supported%20apps%20such%20as%20Outlook%20app%20on%20Andriod%2FiOS%20follow%20modern%20auth%20flow%20and%20caches%20the%20MFA%20token%20(for%2014%20days)%20and%20%3CSPAN%3Eremain%20signed%20in%3C%2FSPAN%3E%20until%20token%20is%20invalidated%20(e.g.%20User%20changes%20the%20password%20or%20goes%20offline%20for%20longer).%26nbsp%3B%20you%20can%20also%20configure%20the%20token%20lifetime%20(%3CSPAN%3EMaxAgeMultiFactor%3C%2FSPAN%3E)%20if%20required%20-%20Pls%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E.%20Hope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Brent Ellis
Valued Contributor

We are starting to pilot MFA and Conditional Access.  Seems to work great on most actual apps (e.g. Outlook, Yammer, OneDrive, Groups, etc) and resources accessed via browser.

 

But we are noticing that no MFA protection actually gets applied for the native Android, iPhone, and Gmail apps.  Is that accurate? or is there maybe a setting we are missing somewhere?

4 Replies

Hi Brent - If you apply MFA via Azure Conditional Access Policy , it will apply multifactor authentication on modern app supported clients. Native mail clients might bypass MFA. But if you enforce MFA (via AzureAD MFA setting) it will enforce Multi factor authentication for all requests, so native apps e.g iOS client will require apppassword to access services. Supported apps such as Outlook app on Andriod/iOS follow modern auth flow and caches the MFA token (for 14 days) and remain signed in until token is invalidated (e.g. User changes the password or goes offline for longer).  you can also configure the token lifetime (MaxAgeMultiFactor) if required - Pls refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime.... Hope this helps.

 

Thank you for the quick reply.

So if I enforce MFA (via AAD MFA setting), can I then use Conditional Access to bypass it based on my criteria?

Or do I pretty much have to make the choice to go all on, or use Conditional Access and accept what is not covered?

I think it is either Conditional Policy or enforce MFA. If your criteria is location based rule and is to bypass MFA for trusted IPs and internal IPs(ADFS Claim), you can still specify those IPs in the service settings section in Azure AD MFA console. This will apply MFA policy to all apps.

 

If you noticed, there is a setting in the "Access Controls" section in Conditional Access Policy (v2), there is an option to specify "Require Approved client app". This does not include "Browser" as a client at the moment. I would really like to see this feature extended to Approved clients and Approved browser, which will allow us configure Conditional Access Policies to all/targeted cloud apps using CAP v2 conditions/rules. 

 

The latest version of the iPhone mail client should support ADAL/MFA.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies