Intune - iOS Mail Profile with Azure MFA

Copper Contributor

Having issues setting up a Device Configuration Profile with intune. I created a Profile to deploy a Mail Profile for iOS devices to connect to Office 365 mailbox. The profile deploys properly but when the profile deploys, I am asked to enter my credentials but they do not work.

 

The iOS Mail Profile is never able to verify the exchange account. After entering the password it says "Unable to verify account information".

 

We do have MFA enabled and our domain is federated with ADFS. 

 

Does intune iOS Mail Profile configuration work with Azure MFA? What could possibly be the issue?

18 Replies

The native iOS mail app doesn't support MFA. You have to use app passwords for that app. 

My advise because you are also using Office365 is, go for the Outlook for iOS app. Email account push is not needed for this app and this app supports MFA. 

 

The Native iOS mail app actually does support MFA but not for deployment scenarios.  That is not available in the current build of iOS. If I understand correctly, version 12 (in current Beta) does support MFA (oAuth/Modern authentication) I am not certain if it is in the current build and if intune will need to add additional code once iOS 12 is released.  You will have to manually configure the native app or use Outlook for iOS with accounts that have MFA enabled. 

I updated my phone to iOS 12 and attempted the Intune Company Portal deployment again, but it still does not seem to support MFA. Am I doing something wrong, or is an Intune Company Portal update required to support MFA? Has anyone gotten deployment of MFA accounts to work since iOS 12 was released?

we tried applying Intune Company Portal deployment also Today after updating all IT dept phones to iOS 12. Can confirm it still does not work. We fell back to conditional access for mfa based on  Intune policy compliance instead, which is easier on the phone users anyways. 

We are Office 365 only, no Azure AD, so conditional access isn't an option for us. Until MDM deployment works properly with MFA, it is very difficult to use both together. Hopefully it is supported soon...
Very strange. We upgraded our IT phones to iOS12. Then downloaded the portal. Was able to authenticate and the mail profile deployed to our devices. On deployment, I received a prompt that I needed to update my password settings. Clicked it, jump to the mail setting to where the action button was update your password. Click it, and was directly over the oAuth to authenticate and verify my identity with MFA. Mail successful. Accounts do not have conditional access but MFA is enabled.

Our experience - Users updated to iOS 12 and latest version of comp portal available.

 

Intune profiles to add mail to default app and comp portal were installed on all devices and in use for the past 6 mos.  I did not make the users delete the policy and re-enroll.

 

I go to the portal and Enforce MFA on selected users.

 

Users proactively go to https://aka.ms/MFASetup and enroll authenticator with push notification. Setup is successful.

 

Users open mail app on LTE or away from known good IP's and it fails to connect to server. NO popup Approval from Authenticator.

 

Users open outlook app for testing and are prompted for MFA immediately in authenticator.

Robert can provide more information on how you setup conditional access for mfa based on Intune policy compliance? We also had to fall back however our many of our intune clients are getting hung up and need to be re-enrolled.

Thanks

Thank you I will review that.

Robert when you say you fell back what was the mechanism you used? Powershell?

 

Thanks

When I say fell back I mean we reconfigured the conditional access policy via the gui to the previous config.

Got it thanks

I was able to get an in tune deployed iOS mail profile to successfully support Office 365 multi-factor authentication through the built in iOS mail app.  To do so, you must enable oauth within the intune mail profile. Previous commenters have mentioned iOS 12 as a requirement.  The above was tested and successful on iOS 12.1.1 and 12.1.2

Is there a way to enable oauth for Office 365 MDM? My deployment is configured through Office 365 MDM, and I don't see an option to enable oauth.

That is the Intune configuration, which I don't have access to. The Office 365 MDM configuration uses the same back-end infrastructure (and the Intune Company Portal app), but the configuration is done here:

 

https://protection.office.com/?rfr=AdminCenter#/devicev2

 

Has anyone had any success with Office 365 MDM? I still have no way to "enable oauth within the intune mail profile" for this product, so all MFA/Modern Auth users' email profiles deployed to iOS through Office 365 MDM won't connect.