SOLVED

MFA and legacy auth

Super Contributor

MFA and disabling legacy auth.

what actually 'happens' on an end-users device (iPhone)

1) where the user sync mail with exchange ActiveSync - and uses the native mail client - (I'm guessing if outlook mobile is used there's no problem?). 

2) and what happens when MFA is enabled - are the end-users then needed to switch to use App password? 

8 Replies

@Taen keren Hi, I usually don't work with these questions but, yes you're right as Outlook for iOS use modern authentication. When modern authentication is enabled app passwords aren't required.

 

ADAL-based authentication is what Outlook for iOS and Android uses to access Exchange Online mailboxes
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-... 

 

You can enroll the devices with one-time MFA prompt, if that's what you are looking for.

 

'Require multi-factor authentication for Intune device enrollments'
https://docs.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication 

 

 

best response confirmed by Taen keren (Super Contributor)
Solution

Both the native Mail app and Outlook support modern auth/MFA, so you should be fine.

@Vasil Michev - thx, why do I see a lot of entries in the CA insight, that phones are using legacy auth. ?

Probably because of EAS.

So I’ll just disable the EAS? - Then all is good? Mail app and outlook mobile app then finds modern auth. ?

Apparently OAuth has been supported in native iOS for quite some time. Did not cross my mind.. If using the native app reconfiguring would be required and not in Outlook for iOS.

See this topic that explains it well https://community.spiceworks.com/topic/2282776-ios-native-mail-app-modern-authentication?page=1#entr...

@ChristianBergstrom  - thx, if I look at the link there's this below - but never heard the Get- cmdlet actually sets a setting ?!

 

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

 

@Taen keren Hi, hmm a bit odd yes. That you use to verify if it's enabled or disabled (didn't read the entire post to be honest).

 

I think we can lean back on @Vasil Michev reply. That is, if you turn EAS off (basic authentication) you should be fine as they will use modern authentication OAuth/ADAL. But as always, do some testing on a few before.