This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 43%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi,
I am receiving this in the mail app after configuring mail app after enabling MFA via Conditional Access on my iPhone native mail app.
Tried removing and adding, without success..
Outlook iOS app works. But I prefer using native mail app.
Any ideas?
See settings of the policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 50%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
You are saying whether or not you have CA policy, you are not able to access email on iOS native app right?
This makes me think this restriction is coming from Exchange admin side. Check you Exchange admin center or your exchange admin
Exchange admin center > mobile
Hi @Pa_D
Thanks for you comment.
Sorry if I wasn't clear.
The native iOS mail app is working without MFA enabled. But when I enabled MFA via conditional access it doesn't work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 39%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
iOS native mail app doesn't support MFA.
Hi,
I have solved this.
It actually does now. However, you need to grant permission as admin to the tenant for the iOS App in Azure > Apps to get it to work.
I am running iOS Mail native app with MFA enabled.
Hi Freppys,
It's a sneaky deal. See we use Azure Sentinel to alert us with risky business. Just yesterday, we have a user who did the same thing, setup iOS native mail for work email. I received an alert today about this. The alert title is: "Suspicious application consent for offline access." The description of the alert is: "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://learn.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities."
So, it looks like what's happening is you grant permission to iOS native mail to download emails for offline access so MFA is actually bypassed. My opinion is that MFA is a very strong protection so we shouldn't bypass it. I just told my user to switch to use the Outlook app for security reason. Just my opinion though.
Thanks
Kit
Yeah it's a bit tricky.
It is really how strong MFA should be on a scale.
I run Outlook only as you do, for a few of my clients, and all third party apps disabled. However, some clients wants to use iOS and this is the way in my opinion to do it "as secure as possible" for their needs. Of course all options explained before enabling it :)
Cheers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 86%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
Hi @Freppys ,
Could you please explain in more detail how to grant tenant permission for iOS app in Azure AD.
Were there any issues afterwards?
Hi,
First of all, there are 2 different error messages with iOS mail app, if you have enabled MFA.
One of them which is in this thread you will probably have to just delete it from iPhone and add it again.
Still not working? There might be a settings enabled which restricts 365 access to third party apps like iOS/Apple.
To consent for everyone to run iOS apps you will have to go to Azure portal > Applications > iOS or Apple Internet Accounts > Constent and enable it for everyone to run iOS app as global admin by pressing the blue button.
They will still have to enter MFA info first time they set it up in the mail settings.
Haven't had any issues at all. Enabled it for multiple tenants.
THis is the setup I run which disables third party apps, unless you consent to it as admin for the users., as you might want for iOS and Samsung mail apps. And MFA enabled via conditional access.
