Nov 16 2017
07:17 AM
- last edited on
May 24 2021
03:18 PM
by
TechCommunityAP
Nov 16 2017
07:17 AM
- last edited on
May 24 2021
03:18 PM
by
TechCommunityAP
I have setup Conditional Access for MFA, i'm sure I read somewhere native mobile apps on Android/iOS are not supported unless App password option is enabled? We don't have the app password option enabled for legacy apps, however i'm still able to configure native email apps on devices and access email? Is this a supported feature?
Nov 17 2017 01:57 AM - edited Nov 17 2017 02:13 AM
Anyone?
the conditional access is setup in AzureAD, I have enabled MFA and require approved client app, I expected native mail apps in iOS/Android to stop working. I've read an article that Intune this can be achieved using Intune App Protection but we don't want to use Intune. Is this possible or is Intune a requirement to work with the AzureAD Conditional Access?
Nov 20 2017 01:05 AM
Nov 20 2017 02:47 AM
We exclude internal IPs.
CA Policy
Users: All users
Cloud Apps: O365 Exchange online
Conditions:
device platforms: All platforms
Client apps: Mobile apps and desktop clients
Access Control:
Require MFA
Require Approved client app
Require all the selected controls (Grant Access to both)
Nov 20 2017 03:47 AM
Nov 20 2017 03:53 AM
Thanks Kent.
I can confirm the policy is enabled.
The end goal is to stop the native clients (iOS/Android) when CA policy is enabled.
Nov 20 2017 07:45 AM
Nov 20 2017 11:30 PM
Nov 21 2017 01:25 AM
SolutionThanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.
To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.
Nov 22 2017 02:16 AM
Nov 22 2017 03:12 AM
Hi Kent - The proposed solution is undergoing testing, i'm confident that this will work for us since we don't use any other mail clients.
Once again thanks for your assistance on this.
Kamran
Nov 21 2017 01:25 AM
SolutionThanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.
To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.