Office 365 MFA Enabled Users and the Apple Mail app for iOS Concern
Office 365 MFA and the Apple Mail app for iOS concern? We ourselves and several customers using Office 365 have noticed a recent issue with the Apple Mail app for iOS when Office 365 MFA is enabled. When users are out of a known or trusted location and required to MFA to sign in or access Office 365 resources the Apple Mail app for iOS is asking for the user's password. This should NOT happen if MFA is enabled and an App Password has been created to be used for the Mail app. The Mail app then prompts the user to enter their Office 365 password which confuses the end user because they try to re-enter the generated App Password which it then fails to sign in because it actual requires the user's standard password. Has there been recent changes to that platform and the Apple Mail app for iOS? I'm thinking that Apple finally updated the Mail app to support modern authentication, if so why hasn't documentation for it been updated? I can see that Apple introduced the capability in 11.0 but we could not get it to work out of the gate and found it to be NOT 100% reliable. So if they finally got this to work in the latest release of iOS what is the recommendation? Have all the current users update their passwords in the app from the App Password to their standard password or can we continue to use the App Password? We have noticed the increase in support requests from customers about this issue in the past 2 weeks or less.
Send Mail (SMTP) through Office 365 with MFA
We have a web server that needs to be able to send emails as users (FROM field); however, we have noticed that if the user account is protected with MFA, the message is rejected. Has anyone been able to get this working? I found a work around by using an account that does not have MFA then adding that account as a delegate of the sending user, but that seems a bit extensive. In our scenario, web server sends a message showing it comes from a sales rep, that is populated dynamically on the web server. It uses CFMAIL (same rules as say PHPMailer) and uses the FROM field as the sales rep. That is handled off in this case to Office365 to send emails. Actual Error: Diagnostic-Code: smtp;550 5.7.60 SMTP; Client does not have permissions to send as this sender
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from. Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys. In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin). Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile. I have a couple of questions / observations and wondered if anyone could shed any light on this. 1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches. 2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach. 3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts). 4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location? 5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app. 6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now. In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring. Many thanks, Dave
Hardware tokens with modern authentication office 365
We are enabling Modern Authentication for our Office 365 users. Some of our users do not have a company cell phones and they do not want to use their personal cellphones. Can we use hardware tokens for MFA if we do not have Azure MFA P1? Hardware tokens is a verification option for MFA Any idea how to set this up? thank you
Failed log on (Failure message: Account is locked because user tried to sign in too many times with
My company has been experiencing an attack from China IP addresses (random) for a while and I can't seem to block them. I'm getting these errors "Failed log on (Failure message: Account is locked because user tried to sign in too many times with an incorrect user ID or password)" every few days on a few of my privileged users. I've tried Turning on Modern Authentication In Azure AD Enabled Block legacy authentication Turned off POP and IMAP access via exchange admin Turned on MFA for the privileged users The redacted (with *) source app connector data is below, I'm wondering if there is a way to block OrgIdWsTrust2:process or Unknown(CBAInPROD). Or if there is something else I can block to stop this. Thanks for your help! { "UserName": "", "MfaResult": null, "DeviceInfo": "Unknown(CBAInPROD)", "LoginErrorCode": 50053, "DeviceTrustType": "", "IsInteractive": false, "Call": "OrgIdWsTrust2:process", "LoginStatus": "Failure", "MfaMaskedDeviceId": null, "IpAddress": "182.38.105.229", "UserTenantId": "****", "EventType": "MCASLoginEvent", "IsInteractiveComputed": null, "ApplicationId": "***", "CorrelationId": "***", "ApplicationName": "Office 365", "SasStatus": null, "TimeStamp": "2019-07-02T01:11:36.4486831Z", "HomeTenantUserObjectId": "***", "MfaRequired": false, "RequestId": "***", "TenantId": "***", "MfaAuthMethod": null, "MfaStatusRaw": null, "IsDeviceCompliantAndManaged": false, "BrowserId": null, "UserTenantMsodsRegionScope": "NA", "DataSource": null, "UserPrincipalObjectID": "***", "Upn": "***", "MsodsTenantRegionScope": "NA" }
How to disable option to stay signed in
The option for users to choose to stay signed in to Office 365 is a potential security problem. We have MFA turned on, but if users stay signed in another person may access the tenant if the computer is left unattended or is hacked. It was possible to turn this option off in Company Branding in AAD until the latest (preview) version of Company Branding was released. For some reason that feature is not available in the latest version. I assume I can revert to the previous version, and then turn it off, but when doing that, I receive a warning that it may have negative consequences for SharePoint Online, but it doesn't say what those consequences are. So, my questions are: 1. Can I turn it off by reverting to the previous version of Company Branding and what are the consequences? 2. Is it possible to achieve the same result in another way? PowerShell or Conditional Access maybe?
