ActiveSync Profile switch to OAuth after migration?

%3CLINGO-SUB%20id%3D%22lingo-sub-1227983%22%20slang%3D%22en-US%22%3EActiveSync%20Profile%20switch%20to%20OAuth%20after%20migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1227983%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20not%20been%20able%20to%20find%20anything%20official%20(or%20any%20at%20all)%20regarding%20this%20specific%20questions.%26nbsp%3B%20My%20Bing%2FGoogle-fu%20may%20be%20failing%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20an%20ActiveSync%20device%20(e.g.%20IOS%2013)%20profile%20supposed%20to%20switch%20to%20OAuth%20after%20the%20migration%20to%20Office%20365%3F%26nbsp%3B%20If%20not%20automatically%2C%20is%20there%20a%20method%20to%20convert%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eexisting%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3EActiveSync%20profile%20to%20switch%20to%20OAuth%2FModern%20Auth%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20surprised%20this%20issue%20had%20never%20come%20up%20for%20me%20before%20with%20the%20several%20clients%20I've%20migrated%20to%20Office%20365.%26nbsp%3B%20The%20issue%20became%20apparent%20when%20the%20client%20began%20piloting%20MFA%20conditional%20access%20policies.%26nbsp%3B%20%26nbsp%3BThe%20pilot%20users%20had%20their%20mailboxes%20migrated%20from%20on-prem%20Exchange%202013%20to%20Office%20365%20a%20while%20ago%20ago%20and%20the%20ActiveSync%20profile%20properly%20reconfigured%20automatically%20for%20Office%20365%20at%20that%20time.%26nbsp%3B%20However%2C%20once%20MFA%20was%20enforced%20for%20the%20pilot%20users%2C%20the%20ActiveSync%20profile%20was%20no%20longer%20able%20to%20sync%20and%20would%20prompt%20for%20credentials.%26nbsp%3B%20Correct%20credentials%20would%20not%20be%20accepted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDeleting%20and%20recreating%20the%20profile%20seems%20to%20have%20fixed%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20theory%20is%20that%20the%20ActiveSync%20profile%20continues%20to%20use%20the%20original%20authentication%20method%20(legacy)%20after%20a%20migration.%26nbsp%3B%20Once%20MFA%20was%20enforced%20on%20the%20user%2C%20Modern%20Authentication%2FOAuth%20became%20required%3B%20and%20ActiveSync%20--%20still%20configured%20for%20legacy%20--%20could%20not%20successfully%20authenticate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20a%20perfectly%20logical%20and%20acceptable%20explanation%20to%20me%2C%20but%20I'm%20trying%20to%20find%20official%20information%20about%20this%20behavior%20to%20provide%20to%20the%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1227983%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eactivesync%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258559%22%20slang%3D%22en-US%22%3ERe%3A%20ActiveSync%20Profile%20switch%20to%20OAuth%20after%20migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258559%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20encountered%20this%20issue%20with%20a%20phased%20roll%20out%20of%20MFA%20(O365)%2C%20baring%20the%20migration.%3CBR%20%2F%3ENative%20iOS%20mail%20app%20would%20not%20pass%202FA%20-%20enabling%20OAuth%20corrected%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have not been able to find anything official (or any at all) regarding this specific questions.  My Bing/Google-fu may be failing me.

 

Is an ActiveSync device (e.g. IOS 13) profile supposed to switch to OAuth after the migration to Office 365?  If not automatically, is there a method to convert an existing ActiveSync profile to switch to OAuth/Modern Auth?

 

I'm surprised this issue had never come up for me before with the several clients I've migrated to Office 365.  The issue became apparent when the client began piloting MFA conditional access policies.   The pilot users had their mailboxes migrated from on-prem Exchange 2013 to Office 365 a while ago ago and the ActiveSync profile properly reconfigured automatically for Office 365 at that time.  However, once MFA was enforced for the pilot users, the ActiveSync profile was no longer able to sync and would prompt for credentials.  Correct credentials would not be accepted.

 

Deleting and recreating the profile seems to have fixed it.

 

My theory is that the ActiveSync profile continues to use the original authentication method (legacy) after a migration.  Once MFA was enforced on the user, Modern Authentication/OAuth became required; and ActiveSync -- still configured for legacy -- could not successfully authenticate.

 

It's a perfectly logical and acceptable explanation to me, but I'm trying to find official information about this behavior to provide to the client.

 

1 Reply
Highlighted

Recently encountered this issue with a phased roll out of MFA (O365), baring the migration.
Native iOS mail app would not pass 2FA - enabling OAuth corrected the issue.