Hi Brent - If you apply MFA via Azure Conditional Access Policy , it will apply multifactor authentication on modern app supported clients. Native mail clients might bypass MFA. But if you enforce MFA (via AzureAD MFA setting) it will enforce Multi factor authentication for all requests, so native apps e.g iOS client will require apppassword to access services. Supported apps such as Outlook app on Andriod/iOS follow modern auth flow and caches the MFA token (for 14 days) and remain signed in until token is invalidated (e.g. User changes the password or goes offline for longer). you can also configure the token lifetime (MaxAgeMultiFactor) if required - Pls refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime.... Hope this helps.
I think it is either Conditional Policy or enforce MFA. If your criteria is location based rule and is to bypass MFA for trusted IPs and internal IPs(ADFS Claim), you can still specify those IPs in the service settings section in Azure AD MFA console. This will apply MFA policy to all apps.
If you noticed, there is a setting in the "Access Controls" section in Conditional Access Policy (v2), there is an option to specify "Require Approved client app". This does not include "Browser" as a client at the moment. I would really like to see this feature extended to Approved clients and Approved browser, which will allow us configure Conditional Access Policies to all/targeted cloud apps using CAP v2 conditions/rules.
@Brent EllisQuestion about when you did your initial pilot group? Did your users need to remove and re-add their mail account from the iPhone native mail client for it to register? Or were the end users just prompted to enter/setup the 2fa code and mail flow resumed? What I have just noticed is when a test user is added to the conditional access group, instead of the device getting prompted to register, it receives an email telling the user to download the Outlook client. We are not forcing the end user to use the Outlook mobile client.