I've configured Conditional Access to require MFA when connecting to O365 services.
I have some qustions about this, all seems to work fine. But;
- The Native iOS mail app for some users seem to work for one day only, they stop syncing and are not asking for MFA / credentials. All devices have iOS 12+.
- The windows / mac devices are not Azure AD joined, so Teams, Outlook and OneDrive are all requiring MFA. I've added the ability to remember MFA on devices they trust for 30 days. But, for example for teams there is no options to remember this for 30 days, is this bound to a device? So if you choose 'remember for 30 day's' on Outlook it will remember it for all apps? If yes, do they need to enter MFA for all apps every 30 days? Or, if no do they need to enter MFA every day? (doesnt seem so).
- I can't test this right now but people tell me they did not choose 'remember for 30 day's' and did not had to enter MFA today.
Did you configure the iOS native mail app manually (where you have to type in server information) or did you choose "sign in"? I believe if you choose "sign in" then the native client will use modern authentication to authenticate and work with MFA.
I can recommend watching this MFA video from last years Ignite:
Most organizations have understood the need for securing cloud identities with a second factor of authentication like Azure Multi-Factor Authentication (MFA). Still, a lot are doing it wrong. It is not complicated to do Azure MFA the right way with using Microsoft Intune and conditional access ...