Home

Does Azure MFA / Conditional Access work on native Android / iPhone clients?

%3CLINGO-SUB%20id%3D%22lingo-sub-152831%22%20slang%3D%22en-US%22%3EDoes%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152831%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20starting%20to%20pilot%20MFA%20and%20Conditional%20Access.%26nbsp%3B%20Seems%20to%20work%20great%20on%20most%20actual%20apps%20(e.g.%20Outlook%2C%20Yammer%2C%20OneDrive%2C%20Groups%2C%20etc)%20and%20resources%20accessed%20via%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20we%20are%20noticing%20that%20no%20MFA%20protection%20actually%20gets%20applied%20for%20the%20native%20Android%2C%20iPhone%2C%20and%20Gmail%20apps.%26nbsp%3B%20Is%20that%20accurate%3F%20or%20is%20there%20maybe%20a%20setting%20we%20are%20missing%20somewhere%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-152831%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152996%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152996%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20latest%20version%20of%20the%20iPhone%20mail%20client%20should%20support%20ADAL%2FMFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152863%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152863%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20it%20is%20either%20Conditional%20Policy%20or%20enforce%20MFA.%26nbsp%3BIf%20your%20criteria%20is%20location%20based%20rule%20and%20is%20to%20bypass%20MFA%20for%20trusted%20IPs%20and%20internal%20IPs(ADFS%20Claim)%2C%20you%20can%20still%20specify%20those%20IPs%20in%20the%20service%20settings%20section%20in%20Azure%20AD%20MFA%20console.%20This%20will%20apply%20MFA%20policy%20to%20all%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20noticed%2C%20there%20is%20a%20setting%20in%20the%20%22Access%20Controls%22%20section%20in%20Conditional%20Access%20Policy%20(v2)%2C%20there%20is%20an%20option%20to%20specify%20%22Require%20Approved%20client%20app%22.%20This%20does%20not%20include%20%22Browser%22%20as%20a%20client%20at%20the%20moment.%20I%20would%26nbsp%3Breally%20like%20to%20see%20this%20feature%20extended%20to%20Approved%20clients%20and%20Approved%20browser%2C%20which%20will%20allow%20us%20configure%20Conditional%20Access%20Policies%20to%20all%2Ftargeted%20cloud%20apps%20using%20CAP%20v2%20conditions%2Frules.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152852%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152852%22%20slang%3D%22en-US%22%3EThank%20you%20for%20the%20quick%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20I%20enforce%20MFA%20(via%20AAD%20MFA%20setting)%2C%20can%20I%20then%20use%20Conditional%20Access%20to%20bypass%20it%20based%20on%20my%20criteria%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20do%20I%20pretty%20much%20have%20to%20make%20the%20choice%20to%20go%20all%20on%2C%20or%20use%20Conditional%20Access%20and%20accept%20what%20is%20not%20covered%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152848%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152848%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brent%20-%20If%20you%20apply%20MFA%20via%20Azure%26nbsp%3BConditional%20Access%20Policy%20%2C%20it%20will%20apply%20multifactor%20authentication%20on%20modern%20app%26nbsp%3Bsupported%20clients.%20Native%20mail%20clients%20might%20bypass%20MFA.%20But%20if%20you%20enforce%20MFA%20(via%20AzureAD%20MFA%20setting)%20it%20will%20enforce%20Multi%20factor%20authentication%20for%20all%20requests%2C%20so%20native%20apps%20e.g%20iOS%20client%20will%20require%20apppassword%20to%20access%20services.%20Supported%20apps%20such%20as%20Outlook%20app%20on%20Andriod%2FiOS%20follow%20modern%20auth%20flow%20and%20caches%20the%20MFA%20token%20(for%2014%20days)%20and%20%3CSPAN%3Eremain%20signed%20in%3C%2FSPAN%3E%20until%20token%20is%20invalidated%20(e.g.%20User%20changes%20the%20password%20or%20goes%20offline%20for%20longer).%26nbsp%3B%20you%20can%20also%20configure%20the%20token%20lifetime%20(%3CSPAN%3EMaxAgeMultiFactor%3C%2FSPAN%3E)%20if%20required%20-%20Pls%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E.%20Hope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072605%22%20slang%3D%22en-US%22%3ERe%3A%20Does%20Azure%20MFA%20%2F%20Conditional%20Access%20work%20on%20native%20Android%20%2F%20iPhone%20clients%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072605%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F637%22%20target%3D%22_blank%22%3E%40Brent%20Ellis%3C%2FA%3EQuestion%20about%20when%20you%20did%20your%20initial%20pilot%20group%3F%26nbsp%3B%20Did%20your%20users%20need%20to%20remove%20and%20re-add%20their%20mail%20account%20from%20the%20iPhone%20native%20mail%20client%20for%20it%20to%20register%3F%20Or%20were%20the%20end%20users%20just%20prompted%20to%20enter%2Fsetup%20the%202fa%20code%20and%20mail%20flow%20resumed%3F%20What%20I%20have%20just%20noticed%20is%20when%20a%20test%20user%20is%20added%20to%20the%20conditional%20access%20group%2C%20instead%20of%20the%20device%20getting%20prompted%20to%20register%2C%20it%26nbsp%3B%20receives%20an%20email%20telling%20the%20user%20to%20download%20the%20Outlook%20client.%20We%20are%20not%20forcing%20the%20end%20user%20to%20use%20the%20Outlook%20mobile%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Brent Ellis
Valued Contributor

We are starting to pilot MFA and Conditional Access.  Seems to work great on most actual apps (e.g. Outlook, Yammer, OneDrive, Groups, etc) and resources accessed via browser.

 

But we are noticing that no MFA protection actually gets applied for the native Android, iPhone, and Gmail apps.  Is that accurate? or is there maybe a setting we are missing somewhere?

5 Replies
Highlighted

Hi Brent - If you apply MFA via Azure Conditional Access Policy , it will apply multifactor authentication on modern app supported clients. Native mail clients might bypass MFA. But if you enforce MFA (via AzureAD MFA setting) it will enforce Multi factor authentication for all requests, so native apps e.g iOS client will require apppassword to access services. Supported apps such as Outlook app on Andriod/iOS follow modern auth flow and caches the MFA token (for 14 days) and remain signed in until token is invalidated (e.g. User changes the password or goes offline for longer).  you can also configure the token lifetime (MaxAgeMultiFactor) if required - Pls refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime.... Hope this helps.

 

Highlighted
Thank you for the quick reply.

So if I enforce MFA (via AAD MFA setting), can I then use Conditional Access to bypass it based on my criteria?

Or do I pretty much have to make the choice to go all on, or use Conditional Access and accept what is not covered?
Highlighted

I think it is either Conditional Policy or enforce MFA. If your criteria is location based rule and is to bypass MFA for trusted IPs and internal IPs(ADFS Claim), you can still specify those IPs in the service settings section in Azure AD MFA console. This will apply MFA policy to all apps.

 

If you noticed, there is a setting in the "Access Controls" section in Conditional Access Policy (v2), there is an option to specify "Require Approved client app". This does not include "Browser" as a client at the moment. I would really like to see this feature extended to Approved clients and Approved browser, which will allow us configure Conditional Access Policies to all/targeted cloud apps using CAP v2 conditions/rules. 

 

The latest version of the iPhone mail client should support ADAL/MFA.

Highlighted

@Brent EllisQuestion about when you did your initial pilot group?  Did your users need to remove and re-add their mail account from the iPhone native mail client for it to register? Or were the end users just prompted to enter/setup the 2fa code and mail flow resumed? What I have just noticed is when a test user is added to the conditional access group, instead of the device getting prompted to register, it  receives an email telling the user to download the Outlook client. We are not forcing the end user to use the Outlook mobile client.