Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern

Iron Contributor

Office 365 MFA and the Apple Mail app for iOS concern? We ourselves and several customers using Office 365 have noticed a recent issue with the Apple Mail app for iOS when Office 365 MFA is enabled. When users are out of a known or trusted location and required to MFA to sign in or access Office 365 resources the Apple Mail app for iOS is asking for the user's password. This should NOT happen if MFA is enabled and an App Password has been created to be used for the Mail app. The Mail app then prompts the user to enter their Office 365 password which confuses the end user because they try to re-enter the generated App Password which it then fails to sign in because it actual requires the user's standard password. Has there been recent changes to that platform and the Apple Mail app for iOS? I'm thinking that Apple finally updated the Mail app to support modern authentication, if so why hasn't documentation for it been updated?  I can see that Apple introduced the capability in 11.0 but we could not get it to work out of the gate and found it to be NOT 100% reliable.  So if they finally got this to work in the latest release of iOS what is the recommendation?  Have all the current users update their passwords in the app from the App Password to their standard password or can we continue to use the App Password?  We have noticed the increase in support requests from customers about this issue in the past 2 weeks or less.

34 Replies
I would suggest not using app passwords anymore since you can use MFA on iOS 11. More secure but that's going to be the supported method or worked on method going forward. I like you used to use app passwords, but have switched over and it's been working well in my experience.

Thanks Chris for the response.  Our experience has not been 100% with it as we change users over to using their standard O365 passwords.  I myself am experiencing this issue and just sent in a bunch of screenshots and logs to Microsoft and Apple to at least inform them...

I suggest testing iOS 12 (beta 6 is out now). I presume Apple has done more engineering on MFA (OAuth), plus OAuth can now be configured via a MDM profile in iOS 12 (for those who need to manage and mass-deploy Exchange/ActiveSync settings to hundreds - or thousands - of iOS devices). Currently Mail.app's OAuth/MFA settings must be configured manually in iOS 11.

 

iOS 12 will likely be released in September 2018.

" MFA (OAuth), plus OAuth can now be configured via a MDM profile in iOS 12 "

 How?

 

We've got O365 MFA working fine. We are turning on basic MDM for a group of users.

Problem is that the activesync account created by the policy on iOS devices requires an App password for the native mail app.

Our organization just rolled out MFA to all associates, and we've found the iPhone process to be ardurously difficult but have learned a few things:

 

Initially, iOS will ask you to re-enter your password and do a 2 factor authentication.  Usually we find (at first) the user must put in their AD password as normal and (in our case) authenticate with the Microsoft Authentication App.

 

Now, their account will typically stay authenticated for anywhere from 1 to 24 hours from that moment.

 

At some point, it starts asking for their password again but won't take their "normal" AD password.  Put in an Application Password.  iOS will still show that it's still not authenticated even if it "accepts" the Application Password, and we've found a reboot "finalizes" the process.

 

After the reboot, the iPhone is happy and the user can carry on with their stuff.

 

I'm not 100% sure why this works, but it seems to be what does work so I figured I'd re-post.

Also, as other users have pointed out, iOS 12 works without any of the hoops perfectly well if you have MDM installed.  

 

We're in a BYOD environment, so we've chosen not to use MDM since we don't own the devices.

@Jason Simotas I believe I am having exactly the same problem. It sounds like full Intune administrators can enable OAuth in their profile, but I can't find a way to do this with Office 365 MDM. Have you found any way to deploy a mail profile using Office 365 MDM that works with MFA/Modern Auth?

@snorma01 I have run into this issue as well. Most all iPhone users have the MFA loop and i cannot seem to figure out hot to stop it. Because some users refuse to use the Outlook app 

@vortiz Yes my only current workaround for MFA users is to have them use the Outlook app. But I also have my users register their devices using Office 365 MDM (Intune Company Portal app). This automatically adds the account to the default iOS mail app, but it doesn't work for MFA users because it is not configured with OAuth/modern authentication, and this causes all kinds of problems for the users. I believe the full version of Intune MDM has an option to enable OAuth now, but it hasn't been addressed in Office 365 MDM for whatever reason. If this could be fixed it would be easy for users to set up their email in the default mail app when they register their devices. With MFA being recommended for all users these days, it's ridiculous that Office 365 MDM doesn't support it!

So what is the current state for Office 365 users? We don't use MDM at this point and I'm just starting to dig into it, and have only a couple we need to set up MFA for at the moment (eventually we will migrate over everyone, but it’s going to be a very training-intensive organization). I can't force them to use Outlook, so I want to have Mail working. And how often is MFA re-authentication requested (can it be configured to daily)?

Mail supports MFA, I use it all the time with MFA and no app passwords are required. Not sure on the daily auth thou, I'm going to assume it will take whatever you have your token refresh in your tenant set to for MFA

@Chris Webb @SPOM1 What still doesn't work is deploying iOS mail profiles using Office 365 MDM and the Intune Company Portal app, for MFA users. The Office 365 MDM profiles don't support OAuth/Modern Authentication. I opened a support case on this because I consider it to be a bug for a Microsoft product to not support MFA in 2019, but support told me it wasn't supported yet and we'll have to wait for them to prioritize this. Completely ridiculous that this hasn't been fixed yet, if you ask me.

Well, now that I started this thread I get to add to it again.  For a while there things were working and I have no explanation why.  Maybe Microsoft updated something or Apple did, but it appears to be back with our customers using the native iOS Mail app.  Now that Microsoft is updating O365 tenants with modern authentication, iOS users have started to lose access to their mailboxes and a continuous prompt for the password with a very weird process. I thought I would retest and have run into the same thing users are reporting.  When modern authentication is enabled through the O365 tenant the user has to continuously sign in and while trying to sign in the dang pop up of edit settings keeps appearing which confuses users and they click edit again and it starts over, you just have to clear that message an finish entering the password. When MFA is enabled in additional with MA, same continuously process added with the two-step.  It's pretty absurd.  I am to replicate this on an 7+ and Xs Max. Both with the latest iOS (12.4).  I try to get them to switch to the MS Outlook app, but some are just sticklers...

 

I also noticed that if you enabled a Conditional Access policy that blocks Exchange ActiveSync, it will also stop native Mail app from working.

 

Microsoft feel free to chime in here and tell us what the heck is going on!

@Alex Melching I opened a support case with Office 365, and their eventual response on 6/12/19 was:

 

"After working on the issue and doing more research just came up with, this is a normal behavior. After cooperation between our engineers and apple engineers the provided option(OAuth) was only for Intune enrolled devices and is not available for MDM enrolled devices yet."

 

They also pointed me to the UserVoice at https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31740142-modern-authentication..., but that was already in "Completed" status at that point (referring to Intune only and not Office 365 MDM) and no one is looking at it anymore.

 

I also tried submitting a request on the Github for Exchange Online Documentation (which I got pointed to by some document or another), but the moderators there only suggested opening a ticket with Office 365 support, which as I mentioned previously did not go anywhere.

 

It seems like everyone wants to just point a finger at someone else, and no one wants to take responsibility for fixing this major oversight. It is currently impossible to use Office 365 MDM for MFA users, and MFA support is absolutely a requirement for a working product in 2019.

I know some other users have mentioned this being an issue with Modern Authentication being turned on, but we recently enabled Modern Authentication globally in the Exchange Admin center, and literally all of our problems have vanished.

Users are able to authenticate with their "normal" AD password on newer smart phones, and are able to use their App Password on older smart phones.  It's like a happy little ecosystem where everything "just works" lol

@JPSAndyJ  I'm the IT manager for our company.  We have BYOD device policy for most of the iPhone users and only certain employees on InTune. We have had numerous issues which are still ongoing. Due to repeated breakin attempts I had to enact a stricter authentication policy which blocked basic authentication.  Users began reporting issues, and even before one user who had limited admin rights had issues with his device and MFA.  I have a work around for the recent issues where the iPhone asks for a password using basic auth.  Open another iPhone application which forces the use of modern authentication, either Teams or Outlook for iOS.  This will then authenticate and the password prompt from the native mail app will go away.  For the MFA user I had to remove their profile and add it back. Then use this same method to force modern authentication.  Try that.  

@Jim_Hill that's a very good point and I'm glad you brought it up.

 

Modern Auth with O365 works around the premise of "authentication tokens" and I believe once a user's phone has said token, they can authenticate with virtually any aspect of the O365 platform.

 

So yes, authenticating with any app that requires Modern Authentication should authenticate with every O365 service on that device.

Thanks @JPSAndyJ   I would just have recommended the use of the Outlook for iOS app but the current app does not provide ready integration with iOS contacts, making it hard for users who want a global contact set on their phones.  

@Jim_Hill Same with us.  We used that as a "quick fix" until we figured out the whole MFA situation on iOS, but users weren't happy with the fact that it didn't sync their phone contacts & calendars.

 

It is a great workaround though in the event that all else fails.