Oct 09 2018
06:40 PM
- last edited on
Feb 06 2023
03:44 AM
by
TechCommunityAP
Oct 09 2018
06:40 PM
- last edited on
Feb 06 2023
03:44 AM
by
TechCommunityAP
Good evening all.
We are having a weird issue where, when we turn on two factor authentication from our Office365 tenant, via the azure AD portal, the base android email application will no longer connect our tenant. Only until we turn off 2FA will the android devices synchronize.
The android devices are samsungs. The oldest is a samsung s7 with the latest patches and OS.
The logs are not showing any errors, so we are a bit stumped as to why this is occurring.
If anyone has any ideas on how to resolve, please let us know, before we push this out to our whole organization!
Many thanks,
JR
Oct 10 2018 12:55 AM
The built-in mail app on Android does NOT support MFA. Use the Outlook app instead. Or if you insist on using the mail app, you will have to create an app password (really not recommended).
Oct 10 2018 05:46 AM
That confirms my own suspicions, thank you! In terms of the default mail app on Iphones, should we expect to see the same scenario?
Oct 10 2018 10:18 AM
The iOS one actually supports MFA, since two versions now.
Sep 24 2019 08:19 AM
Has anybody else seen issues with this as I am just starting the MFA journey and Samsung devices in my test user group have had to remove their mail profile upon recreation the issue seems to be resolved. My worry is in 14 days when MFA kicks in will the mail connection die again?
Oct 02 2019 02:37 AM
The solution is to establish an APP-password in your profile/account and use this instead of your standard password.
Oct 02 2019 03:34 AM
I have put in a lot more testing into this and there is unfortunately no fix for Android devices using native email that are managed by a corporate MDM platform - Airwatch & InTune in my case.
As you say the APP Password does work but I am trying to avoid this as we don't want to manage them and they do not change without a manual process so not very secure.
The ideal is that MDM's can force OAuth requests to Android but this does not seem to be supported at the Android layer, Apple do have it though with iOS and it works.
The only other options I have worked out are -
1 - Register the device via active sync for email but it's not then managed
2 - Use the Outlook client for android - creates a massive change control issue as 99% use native email client.
Thanks for your reply though ;)
Oct 02 2019 06:16 PM
As a follow up, we ended up just recommending that people download and use the Outlook client application. The app password idea mystified users in our organization and was really hard for them to use. We pitched the idea as creating a seperate mail app segregating your work life (Outlook app) and your home life (Default mail app). We've had many people within the org thank us for this concept.
Oct 29 2019 06:11 AM
Jul 09 2020 04:42 PM
@KCox61 Greetings, I did not see a reply to your question so if I may. MFA will not effect the functionality if you get it working and it is usually a one time deal.
What is at risk, should someone gain access to your credentials, they will be able to use them on any device to access your emails and your Office account as a whole.
In todays world it is almost a necessary evil to use MFA.
That being said, I Apple and Android products I use and I prefer to use Outlook as there are no sync issue with my desktop calendars, contacts, etc..
Hope this is helpful
Jul 13 2021 05:26 PM
@jp1960 Good Evening all, I want to thank you all as you have answered part of my question but I have a 2nd part that I have a bad feeling I am not going to get the answer I want to hear.
So I use verizon email for all my what I consider professional mail as I have been on FIOS for years. Not really trying to change that either. A few years back Verizon decided they did not want to handle their email anymore so they moved it over to AOL who they own. Wasn't thrilled about it but it wasn't a huge deal at the time. Past two days started seeing intermittent issues with my email. I use Outlook on my windows desktops thick Outlook client. Come to find out today that AOL is implementing mandatory OAuth2. While the Outlook solution for Android should work for my phone. Is there anyway to do MFA with a Windows Outlook thick client that would more less be an out of the box solution. I really don't want to use AOL's webmail. In my opinion anything AOL might as well be malware. I don't see a way to use the Outlook 2019 Desktop client with mandatory OAuth2.