Just wondered if you ever managed to get O365 MDM email profiles working for an MFA-enabled account using the Intune Company Portal app on iOS 12 (without using App passwords)? It seems to still not work.

When my user is on an MFA Trusted Network (so that MFA isn't required), authentication works just fine. As soon as the user is outside the Trusted Network where MFA is required, continuous password prompts are received and the iOS 12 Mail.app cannot authenticate.

@Steven Jenkinson I don't see this as working either. I see that they have added OAuth support for Intune that Office 365 MDM is built on, but it doesn't seem to be enabled for Office 365 MDM? Is anyone from Microsoft monitoring this?

@StephanBrisson  so far I have had mixed results on IOS12 devices.  On one of the first devices the native mail asked for a password.  I created an App password.  Would not accept it.  So I found an article online which suggested just deleting that account and adding it back, leaving whatever contacts and notes were already on the device. That took care of it.  On my iPhone I just entered the app password.  But then on my iPad that would not work, so I just removed the account and added it back.  

@Jim Hill It's supposed to work with Modern Authentication/OAuth, without the need to use an app password. Needing an app password for email on a phone for all users that are on MFA is absurd in 2019. It's supposed to be best practice to turn on MFA for all users these days, but Office 365 MDM doesn't support it? I'm astounded this hasn't gotten more attention.

@StephanBrisson 

We are also having the exact same issue, since around iOS 12.2

We've extracted logs from a device and they talk about oAuth tokens failing to refresh.

Raised support ticket with Microsoft but they havent been able to assist.

Have you had any progress or luck with your issue?

Error>: DAEASOAuthTokenRefreshResponse response is not NSHTTPURLResponse. Game over

<Notice>: Received a Transient Network Error: refrehing OAuth Token failed with Error Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSUnderlyingError=0x102bc0ce0 {Error Domain=kCFErrorDomainCFNetwork Code=-1002}}

May 13 11:45:26 iPhone accountsd(DAAccountAuthenticator)[1296] <Error>: Authenticator FAILED Trying To Refresh OAuth2 credentials for account <private> Networking Error

@webber1979Yes we were able to make it work properly. We are using Airwatch (VMware Workspace One) and we had to change our email profiles deployment parameters. We had to add the OAuth parameter to the email profile but then the user name in the profile was the following: domain\user@domain. It was working in the initial logon (for about an hour) but when the refresh token was expiring the profile was unable to match the user name with anything.

We had to delete the username and the domain from the Email profile (pushed by Airwatch) and then it worked fine.

 Thanks for the reply.

Think your issue might be different to ours, we already have oAuth turned on and we use UPN as the username. I've changed this to primarysmtpaddress and hope this may help.

I've also tried removing their activesync device partnership prior to the migration to see if this helps.