ActiveSync Profile switch to OAuth after migration?

%3CLINGO-SUB%20id%3D%22lingo-sub-1227983%22%20slang%3D%22en-US%22%3EActiveSync%20Profile%20switch%20to%20OAuth%20after%20migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1227983%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20not%20been%20able%20to%20find%20anything%20official%20(or%20any%20at%20all)%20regarding%20this%20specific%20questions.%26nbsp%3B%20My%20Bing%2FGoogle-fu%20may%20be%20failing%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20an%20ActiveSync%20device%20(e.g.%20IOS%2013)%20profile%20supposed%20to%20switch%20to%20OAuth%20after%20the%20migration%20to%20Office%20365%3F%26nbsp%3B%20If%20not%20automatically%2C%20is%20there%20a%20method%20to%20convert%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eexisting%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3EActiveSync%20profile%20to%20switch%20to%20OAuth%2FModern%20Auth%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20surprised%20this%20issue%20had%20never%20come%20up%20for%20me%20before%20with%20the%20several%20clients%20I've%20migrated%20to%20Office%20365.%26nbsp%3B%20The%20issue%20became%20apparent%20when%20the%20client%20began%20piloting%20MFA%20conditional%20access%20policies.%26nbsp%3B%20%26nbsp%3BThe%20pilot%20users%20had%20their%20mailboxes%20migrated%20from%20on-prem%20Exchange%202013%20to%20Office%20365%20a%20while%20ago%20ago%20and%20the%20ActiveSync%20profile%20properly%20reconfigured%20automatically%20for%20Office%20365%20at%20that%20time.%26nbsp%3B%20However%2C%20once%20MFA%20was%20enforced%20for%20the%20pilot%20users%2C%20the%20ActiveSync%20profile%20was%20no%20longer%20able%20to%20sync%20and%20would%20prompt%20for%20credentials.%26nbsp%3B%20Correct%20credentials%20would%20not%20be%20accepted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDeleting%20and%20recreating%20the%20profile%20seems%20to%20have%20fixed%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20theory%20is%20that%20the%20ActiveSync%20profile%20continues%20to%20use%20the%20original%20authentication%20method%20(legacy)%20after%20a%20migration.%26nbsp%3B%20Once%20MFA%20was%20enforced%20on%20the%20user%2C%20Modern%20Authentication%2FOAuth%20became%20required%3B%20and%20ActiveSync%20--%20still%20configured%20for%20legacy%20--%20could%20not%20successfully%20authenticate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20a%20perfectly%20logical%20and%20acceptable%20explanation%20to%20me%2C%20but%20I'm%20trying%20to%20find%20official%20information%20about%20this%20behavior%20to%20provide%20to%20the%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1227983%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eactivesync%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258559%22%20slang%3D%22en-US%22%3ERe%3A%20ActiveSync%20Profile%20switch%20to%20OAuth%20after%20migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258559%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20encountered%20this%20issue%20with%20a%20phased%20roll%20out%20of%20MFA%20(O365)%2C%20baring%20the%20migration.%3CBR%20%2F%3ENative%20iOS%20mail%20app%20would%20not%20pass%202FA%20-%20enabling%20OAuth%20corrected%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2104736%22%20slang%3D%22en-US%22%3ERe%3A%20ActiveSync%20Profile%20switch%20to%20OAuth%20after%20migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2104736%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169882%22%20target%3D%22_blank%22%3E%40Bryan%20Hall%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20get%20this%20resolved%2C%20or%20a%20way%20around%20it%3F%20I'm%20just%20starting%20my%20migration%20test%20now%20and%20this%20has%20been%20driving%20me%20crazy%20for%20the%20last%202%20days!%3C%2FP%3E%3CP%3EI'm%20sure%20it%20is%20because%20of%20OAuth.%20And%20now%20with%20Modern%20Auth%20being%20widely%20rolled%20out%20(and%20the%20need%20to%20MFA)%20I'm%20sure%20there%20should%20be%20a%20way%20around%20this%20besides%20recreating%20the%20profile%20on%20mobile%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have not been able to find anything official (or any at all) regarding this specific questions.  My Bing/Google-fu may be failing me.

 

Is an ActiveSync device (e.g. IOS 13) profile supposed to switch to OAuth after the migration to Office 365?  If not automatically, is there a method to convert an existing ActiveSync profile to switch to OAuth/Modern Auth?

 

I'm surprised this issue had never come up for me before with the several clients I've migrated to Office 365.  The issue became apparent when the client began piloting MFA conditional access policies.   The pilot users had their mailboxes migrated from on-prem Exchange 2013 to Office 365 a while ago ago and the ActiveSync profile properly reconfigured automatically for Office 365 at that time.  However, once MFA was enforced for the pilot users, the ActiveSync profile was no longer able to sync and would prompt for credentials.  Correct credentials would not be accepted.

 

Deleting and recreating the profile seems to have fixed it.

 

My theory is that the ActiveSync profile continues to use the original authentication method (legacy) after a migration.  Once MFA was enforced on the user, Modern Authentication/OAuth became required; and ActiveSync -- still configured for legacy -- could not successfully authenticate.

 

It's a perfectly logical and acceptable explanation to me, but I'm trying to find official information about this behavior to provide to the client.

 

2 Replies

Recently encountered this issue with a phased roll out of MFA (O365), baring the migration.
Native iOS mail app would not pass 2FA - enabling OAuth corrected the issue.

 

@Bryan Hall 

 

Did you ever get this resolved, or a way around it? I'm just starting my migration test now and this has been driving me crazy for the last 2 days!

I'm sure it is because of OAuth. And now with Modern Auth being widely rolled out (and the need to MFA) I'm sure there should be a way around this besides recreating the profile on mobile?