SOLVED
Home

Conditional Access - Require multi-factor authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-128580%22%20slang%3D%22en-US%22%3EConditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128580%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20setup%20Conditional%20Access%20for%20MFA%2C%20i'm%20sure%20I%20read%20somewhere%20native%20mobile%20apps%20on%20Android%2FiOS%20are%20not%20supported%20unless%20App%20password%20option%20is%20enabled%3F%20We%20don't%20have%20the%20app%20password%20option%20enabled%20for%20legacy%20apps%2C%20however%20i'm%20still%20able%20to%20configure%20native%20email%20apps%20on%20devices%20and%20access%20email%3F%20Is%20this%20a%20supported%20feature%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-128580%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130455%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130455%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kent%20-%20The%20proposed%20solution%20is%20undergoing%20testing%2C%20i'm%20confident%20that%20this%20will%20work%20for%20us%20since%20we%20don't%20use%20any%20other%20mail%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20again%20thanks%20for%20your%20assistance%20on%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKamran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130441%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130441%22%20slang%3D%22en-US%22%3EHi%20Kamran%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20no%20changes%20on%20my%20end%20and%20im%20throwing%20in%20the%20towel.%20Glad%20the%20block%20rule%20works%20for%20you%20and%20if%20you%20then%20enforce%20MFA%20via%20the%20mfa%20management%20you%20are%20close%20to%20achieving%20your%20desired%20goal.%20%3CBR%20%2F%3E%3CBR%20%2F%3Ebest%20of%20luck%20going%20forward.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130063%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130063%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20going%20the%20extra%20mile%20Kent.%20I%20have%20found%20the%20same%20results%2C%20the%20CA%20policy%20doesn't%20work%20as%20it%20should.%20I%20was%20expecting%20the%20native%20clients%20to%20stop%20working%20when%20'require%20approved%20client%20app'%20access%20control%20was%20selected%2C%20however%20this%20doesn't%20work.%20I%20believe%20this%20feature%20only%20works%20with%20Intune%20app%20protection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20address%20this%20issue%20i%20have%20created%20a%20device%20rule%20to%20block%20all%20active%20sync%20clients%20and%20allow%20Outlook%2C%20since%20we're%20on%20Outlook%202016%20and%20this%20supports%20Modern%20Auth%20this%20works%20well%20for%20us.%20Microsoft%20really%20need%20to%20make%20things%20clear%20on%20their%20CA%20policies%2C%20pros%20and%20cons.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130033%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130033%22%20slang%3D%22en-US%22%3EHi%20Kamran%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20tried%20many%20different%20configurations%20for%20the%20conditional%20access%2C%20and%20regardless%20what%20i%20configure%20i%20can%20still%20use%20my%20Android%20email%20client%2C%20and%20Outlook%20does%20not%20prompt%20for%20MFA.%20When%20i%20had%20your%20rule%20configured%2C%20i%20was%20prompted%20when%20trying%20to%20use%20portal.office.com.%3CBR%20%2F%3EYou%20can%20create%20a%20policy%20specifically%20for%20Exchange%20Active%20Sync%2C%20but%20this%20does%20not%20support%20forcing%20MFA.%3CBR%20%2F%3EIf%20you%20however%20enforce%20MFA%20on%20your%20users%2C%20using%20the%20MFA%20portal%20and%20disable%20App%20password%2C%20then%20the%20users%20will%20not%20be%20able%20to%20use%20the%20default%20apps.%20%3CBR%20%2F%3E%3CBR%20%2F%3Ei%20will%20try%20and%20spend%20some%20more%20time%20on%20this%20today.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129747%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129747%22%20slang%3D%22en-US%22%3EAnother%20option%20is%20to%20create%20a%20device%20policy%20to%20block%20all%20devices%20except%20Outlook%20for%20iOS%20and%20Android%2C%20but%20not%20sure%20if%20this%20will%20cause%20issues%20with%20anything%20else.%20going%20through%20testing.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129625%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129625%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Kent.%3C%2FP%3E%3CP%3EI%20can%20confirm%20the%20policy%20is%20enabled.%3C%2FP%3E%3CP%3EThe%20end%20goal%20is%20to%20stop%20the%20native%20clients%20(iOS%2FAndroid)%20when%20CA%20policy%20is%20enabled.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129623%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129623%22%20slang%3D%22en-US%22%3EPolicies%20are%20disabled%20by%20default%2C%20could%20you%20please%20confirm%20that%20the%20policy%20is%20enabled%20%3F%3CBR%20%2F%3Eim%20trying%20to%20reproduce%20this%20policy%20with%20a%20test%20user%20and%20will%20get%20back%20to%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129586%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129586%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20exclude%20internal%20IPs.%3C%2FP%3E%3CP%3ECA%20Policy%3C%2FP%3E%3CP%3EUsers%3A%20All%20users%3C%2FP%3E%3CP%3ECloud%20Apps%3A%20O365%20Exchange%20online%3C%2FP%3E%3CP%3EConditions%3A%3C%2FP%3E%3CP%3Edevice%20platforms%3A%20All%20platforms%3C%2FP%3E%3CP%3EClient%20apps%3A%20Mobile%20apps%20and%20desktop%20clients%3C%2FP%3E%3CP%3EAccess%20Control%3A%3C%2FP%3E%3CP%3ERequire%20MFA%3C%2FP%3E%3CP%3ERequire%20Approved%20client%20app%3C%2FP%3E%3CP%3ERequire%20all%20the%20selected%20controls%20(Grant%20Access%20to%20both)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129557%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129557%22%20slang%3D%22en-US%22%3EDo%20you%20exclude%20any%20Subnets%2Fip's%20from%20your%20MFA%20%3F%3CBR%20%2F%3EAlso%20what%20rules%20have%20you%20configured%20for%20your%20Conditional%20Access%2C%20are%20you%20targeting%20Apps%20or%20device%20platforms%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128977%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20-%20Require%20multi-factor%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128977%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%3F%3C%2FP%3E%3CP%3Ethe%20conditional%20access%20is%20setup%20in%20AzureAD%2C%20I%20have%20enabled%20MFA%20and%20require%20approved%20client%20app%2C%20I%20expected%20native%20mail%20apps%20in%20iOS%2FAndroid%20to%20stop%20working.%20I've%20read%20an%20article%20that%20Intune%20this%20can%20be%20achieved%20using%20Intune%20App%20Protection%20but%20we%20don't%20want%20to%20use%20Intune.%20Is%20this%20possible%20or%20is%20Intune%20a%20requirement%20to%20work%20with%20the%20AzureAD%20Conditional%20Access%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Kamran Ahmed
Occasional Contributor

I have setup Conditional Access for MFA, i'm sure I read somewhere native mobile apps on Android/iOS are not supported unless App password option is enabled? We don't have the app password option enabled for legacy apps, however i'm still able to configure native email apps on devices and access email? Is this a supported feature?

10 Replies

Anyone?

the conditional access is setup in AzureAD, I have enabled MFA and require approved client app, I expected native mail apps in iOS/Android to stop working. I've read an article that Intune this can be achieved using Intune App Protection but we don't want to use Intune. Is this possible or is Intune a requirement to work with the AzureAD Conditional Access?

Do you exclude any Subnets/ip's from your MFA ?
Also what rules have you configured for your Conditional Access, are you targeting Apps or device platforms

We exclude internal IPs.

CA Policy

Users: All users

Cloud Apps: O365 Exchange online

Conditions:

device platforms: All platforms

Client apps: Mobile apps and desktop clients

Access Control:

Require MFA

Require Approved client app

Require all the selected controls (Grant Access to both)

 

Policies are disabled by default, could you please confirm that the policy is enabled ?
im trying to reproduce this policy with a test user and will get back to you.

Thanks Kent.

I can confirm the policy is enabled.

The end goal is to stop the native clients (iOS/Android) when CA policy is enabled.

Another option is to create a device policy to block all devices except Outlook for iOS and Android, but not sure if this will cause issues with anything else. going through testing.
Hi Kamran

I have tried many different configurations for the conditional access, and regardless what i configure i can still use my Android email client, and Outlook does not prompt for MFA. When i had your rule configured, i was prompted when trying to use portal.office.com.
You can create a policy specifically for Exchange Active Sync, but this does not support forcing MFA.
If you however enforce MFA on your users, using the MFA portal and disable App password, then the users will not be able to use the default apps.

i will try and spend some more time on this today.
Solution

Thanks for going the extra mile Kent. I have found the same results, the CA policy doesn't work as it should. I was expecting the native clients to stop working when 'require approved client app' access control was selected, however this doesn't work. I believe this feature only works with Intune app protection.

 

To address this issue i have created a device rule to block all active sync clients and allow Outlook, since we're on Outlook 2016 and this supports Modern Auth this works well for us. Microsoft really need to make things clear on their CA policies, pros and cons.

Hi Kamran

So no changes on my end and im throwing in the towel. Glad the block rule works for you and if you then enforce MFA via the mfa management you are close to achieving your desired goal.

best of luck going forward.

Hi Kent - The proposed solution is undergoing testing, i'm confident that this will work for us since we don't use any other mail clients.

 

Once again thanks for your assistance on this.

 

Kamran